Rule Title |
Rule Author |
Ruleset Name |
ID |
#Files |
#Undetected Files |
Creation of an Executable by an Executable |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b5386a23355681c43cfbd2f2ccfe4b16ed45324d0d7b5583487a9f302ee1e427 |
6530711 |
801985 |
Wow6432Node CurrentVersion Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
18842e32896dd83b8aca4d5e1ac78c1f66b1d252479c0023cdd02f108c42c8cd |
5869492 |
37574 |
CurrentVersion Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
8b5db9da5732dc549b0e8b56fe5933d7c95ed760f3ac20568ab95347ef8c5bcc |
3582224 |
58000 |
CurrentVersion NT Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
d706314122bff93e0dbdf079f1d1904d2f00407f34a893487d70105b1dc5b9ed |
1901094 |
5592 |
Potential Persistence Via COM Search Order Hijacking |
Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien |
Sigma Integrated Rule Set (GitHub) |
7f5d257abc981b5eddb52d4a9a02fb66201226935cf3d39177c8a81c3a3e8dd4 |
1831983 |
143092 |
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
3e5fe19fbbb767b861e93022c3f95d25e1618fc86be75b05326ee57b2f75633c |
1741139 |
232375 |
Scheduled TaskCache Change by Uncommon Program |
Syed Hasan (@syedhasan009) |
Sigma Integrated Rule Set (GitHub) |
d62173552d7fce98c24a7040b784edf35cc6650d2e68ecf2d04f40c58d58cfda |
1545857 |
16571 |
System File Execution Location Anomaly |
Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
25fc56c1bee673d7ff3edcf371e4d2a36c0af83222da348961b87735c8efa61f |
1510338 |
94939 |
Failed Code Integrity Checks |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
134564d292d785dff102940b8a1ee06dba2d462c5fb852124b3771a49d7885f1 |
1388948 |
582969 |
Hidden Executable In NTFS Alternate Data Stream |
Florian Roth (Nextron Systems), @0xrawsec |
Sigma Integrated Rule Set (GitHub) |
5be9da0a90b142239a3ff2819edf2283938855da3b4c80d63d8e6db63c2c4fe7 |
1386682 |
70423 |
New DLL Added to AppInit_DLLs Registry Key |
Ilyas Ochkov, oscd.community, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
6f134f381913ef9221138f615280ca41e252e823168d7d580ab6e713e10beca2 |
1164100 |
52 |
Password Protected Compressed File Extraction Via 7Zip |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
22e867c244280c1d01bcddc8355c10d82b6c69577cd784cefbbe4eb5e7a82f65 |
1141288 |
329599 |
Change PowerShell Policies to an Insecure Level |
frack113 |
Sigma Integrated Rule Set (GitHub) |
06b48fa7870d38bdf92b4d4a9b9c4a4df779bd405fdc5ba0e70911df20027ce1 |
1104684 |
558022 |
DMP/HDMP File Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
67ee86b34b3617ea45dec0ef09b7a71a5f44f5c010ccc9139d92f49685996f49 |
1102439 |
198893 |
Suspicious Outbound SMTP Connections |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3659f9925f327ac0ba2be9b3c8c7240f432c4b62f162b846c10410fff320b6f7 |
935006 |
356 |
Suspicious New Instance Of An Office COM Object |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ffbbcedfb9a1fd41ebb288154c10cf5cf869eb25195708be30f8a9df74f411cc |
728099 |
593531 |
Files With System Process Name In Unsuspected Locations |
Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e13498937de9343f50c1e8f315ce602aa238e37e21f3dbb15d3403c25afafe3e |
672429 |
2777 |
Suspicious Screensaver Binary File Creation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
ad081ff821748a3cd86b5954ef5c3d7d2a6602fe0b6e50ed47938b98bc184122 |
593871 |
4347 |
Change PowerShell Policies to an Insecure Level - PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5572c8188426269a10ccb41fc8e9c8445391ac38a0917621b0a1ee05ec99aac9 |
575401 |
235790 |
Suspicious Get-WmiObject |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1f7f8b1e9005dd4d64cb9d30ed53ee94f68fb96262fbd72f7a0266881149c79f |
570396 |
230933 |
SCR File Write Event |
Christopher Peacock @securepeacock, SCYTHE @scythe_io |
Sigma Integrated Rule Set (GitHub) |
7a463b569de43655b8e8cf5b970001d720c38abf81bce54ba71ad19765b096e7 |
527771 |
3769 |
CMD Shell Output Redirect |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e77646c39db7fa011a5223aeb73c738046787fc7f62a99394e883d76a54341f7 |
512462 |
16506 |
Execution from Suspicious Folder |
Florian Roth (Nextron Systems), Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
f8d48ec1128b00975e61e06393f6bb04a1d033a94c556d213b3bcb78a80589d8 |
506687 |
19602 |
Execution of Suspicious File Type Extension |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2104d1ee1ce64e7aa3dbd368652a54ce160e6a5751019af14601fc8fd1df8086 |
491777 |
22711 |
Modification of IE Registry Settings |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7ca43f2acf2c039e776af286dca2b5216d23967e6e8fe43dd5a5cc95f86e52e5 |
490110 |
24764 |
Suspicious Double Extension Files |
Nasreddine Bencherchali (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
c9e528bd3557dc88b06bd5d2dfbadd96e24026bd2d890a2604febd2829c3146b |
460083 |
122 |
Windows Processes Suspicious Parent Directory |
vburov |
Sigma Integrated Rule Set (GitHub) |
afd546ea5eff265c454f77f6e7641ade6e5a791d79de155fa27d377be1581535 |
414711 |
918 |
Potential Defense Evasion Via Binary Rename |
Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades) |
Sigma Integrated Rule Set (GitHub) |
686a5b6d5e098e507256a7207e9e4a237bb378c824f67f13ee0402525833b257 |
408252 |
49504 |
Process Creation Using Sysnative Folder |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1dfbc92aba26dc597751f9cf42ff3eac446b827525d1a38ea6fb4141c9f9af01 |
403947 |
147764 |
Rundll32 Internet Connection |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4725cdcf2dfdd90c3aa0d331fae77d6ac8021c254701744a01444af04e9a0e69 |
359912 |
48140 |
Use Remove-Item to Delete File |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d9b2eb00753c3049fbb4ed4f7d88f29b65a0c50bec45ff4723b95bb637f8f83d |
358344 |
153681 |
User with Privileges Logon |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8919a871f4a52b7af785fab44b4665ab6a3637e6ebeeac0288df8a5012a48be2 |
350576 |
157725 |
Python Initiated Connection |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e4d5f1be0673fa786cc8379c15338af08cdd11eed433bead9e801d6204d42a2d |
325787 |
78378 |
Use NTFS Short Name in Command Line |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c0bf6ba71da9d0f13368b0f1281354c8f9b3d491845ea5902282fece277ec655 |
320267 |
9906 |
New RUN Key Pointing to Suspicious Folder |
Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing |
Sigma Integrated Rule Set (GitHub) |
27b72c2678411f21ba21bd10b44b7e9c45594d5a5f61f14223b81a8906675039 |
306827 |
9421 |
Service Binary in Suspicious Folder |
Florian Roth (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
71686ca6fd31ecd29454e2d39e38be5c971f96ad539e461b7d1d79b85f90182a |
304246 |
6485 |
Common Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name) |
Sigma Integrated Rule Set (GitHub) |
aa1c4ee10caaa9d521b34246c51e0c22c8af0a4b7fdb1cdd9faf1182ef6dd14c |
287789 |
874 |
Suspicious DNS Query for IP Lookup Service APIs |
Brandon George (blog post), Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
3a2766a08d32a855b604a786cddc0f76fee13e6ccd22e01d4878150f0ef1eebc |
285950 |
9418 |
Uncommon Svchost Parent Process |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a0daa529834b3c5230b4524da005a6b6503e7cb061e298a8f74e0dc1fee0a008 |
284862 |
1123 |
Monero Crypto Coin Mining Pool Lookup |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0752dd4f3de82ada650a6c6ed1887cc940d8f55e130fec468ce0df9b2ec4ef25 |
270567 |
38 |
Non Interactive PowerShell Process Spawned |
Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) |
Sigma Integrated Rule Set (GitHub) |
1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f |
267123 |
32552 |
Renamed Office Binary Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bb031bd9cea5bfc07d877d0deeef37ed046229fe8cb82202aefe3220d14c8626 |
251566 |
3378 |
Registry Modification to Hidden File Extension |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e6d175111f1e8dfecb77e2bbe404bdaad31873a97477136b427187abb5d09a89 |
245770 |
177 |
Network Communication With Crypto Mining Pool |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5f96c8ad390b56fba16309ec092ccde0290c7896bd2bfd7c49b738c77dc36bde |
241044 |
21 |
Suspect Svchost Activity |
David Burkett, @signalblur |
Sigma Integrated Rule Set (GitHub) |
dc04e64e69f5446c2a31920ee22415626307d5f3d0fb73ad81b9d3301a41000a |
235921 |
352 |
Vulnerable Driver Load |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
efe6f377eb5896688f0baa7d44db4fc8d0639fa43f0d3dbb262bde8a7eb7b453 |
231778 |
759 |
Disable UAC Using Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
80708cad12d59acde6c91bdfbb0ed867ffd0538e97f962f2ffd72040a66ecb6b |
231258 |
715 |
Service Binary in Uncommon Folder |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a55e06a3fb02c5ab9e6338bc2b61d50ebaa7e4236c27862400b7633243f477be |
231166 |
9284 |
Vulnerable WinRing0 Driver Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6e6298fff951b11ea6aa772fe7d022e50af3068aa7254be68850f49e45e0ed13 |
229194 |
184 |
Driver Load From A Temporary Directory |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
539dcb36e9155d97ed39c68182bde1733b86e2785cbef70586ce6a771645c425 |
221997 |
741 |
Suspicious Microsoft Office Child Process |
Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io |
Sigma Integrated Rule Set (GitHub) |
6a6edfdea6536f74ea66bf73682ed52f4b86435793ed76ff38e3ab0523f029f5 |
219682 |
462 |
Startup Folder File Write |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
56b8c79acb8e444c2b00be5c9d3cb8e33e863ccb3506d635f907a49cd053c84f |
219674 |
5451 |
Suspicious File Created In PerfLogs |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a689c467d9cf931ad8d7fcb39456815daf9e5fb748bad72f1269eb6a8d64c5a0 |
213227 |
8 |
Suspicious Schtasks From Env Var Folder |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0533322c5c44794b71e761cd351a2459aad6e21ae95c9543d4c9fdb3c8fde6c4 |
211344 |
2029 |
Use Short Name Path in Command Line |
frack113, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
3c0434c2b9b483a1c7879404c2a80556dc54436bf222a970ca7131b1f30079f1 |
210625 |
26905 |
Powershell Defender Exclusion |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7e416af5a1bb67fdbd2f30ae3f5da7f74583460b36546527c909c354fb5dcd00 |
203958 |
2418 |
Audit Policy Tampering Via Auditpol |
Janantha Marasinghe (https://github.com/blueteam0ps) |
Sigma Integrated Rule Set (GitHub) |
33a4a18ae1a3802586c239be79075294541594b5b603c230af39618577e03fae |
201485 |
32687 |
Stop Windows Service Via Sc.EXE |
Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dd1cc05e1a1d9416b75088f7ba5586374900fc625479abf320585293e9e21639 |
197673 |
3234 |
Process Start From Suspicious Folder |
frack113 |
Sigma Integrated Rule Set (GitHub) |
539d657ea3dfb52773cd8616d93fd64ba9112091984d1c3eb044c6e5dadd2c5c |
188309 |
53171 |
File Deletion Via Del |
frack113 |
Sigma Integrated Rule Set (GitHub) |
77ed185ff979a8d9206b5eed07bf6d5823529f713ed0ea19f2ef7a4a355568bc |
184532 |
3696 |
Scheduled Task Creation Via Schtasks.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3bc9d14114a6b67367a24df21134d0564d6f08a0ad903d68f9b25e9d8b7f0790 |
179857 |
2482 |
Rundll32 Execution With Uncommon DLL Extension |
Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou |
Sigma Integrated Rule Set (GitHub) |
e7856bac967038b016efab8e4f315a2f16ccd6ba62f20d73df0ad3826fe654a3 |
177806 |
23548 |
Potential Persistence Via COM Hijacking From Suspicious Locations |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c64a541b46d176ef960f347f5e86ee15927eb668f86a5f9f6260bbc94b1d2f3a |
177370 |
107166 |
Scheduled Task Created - FileCreation |
Center for Threat Informed Defense (CTID) Summiting the Pyramid Team |
Sigma Integrated Rule Set (GitHub) |
3418c5891b9d0a4ec974985072278b35b0a0f0254118d766d07553a547284b87 |
174884 |
7554 |
Suspicious Network Connection to IP Lookup Service APIs |
Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7b06f86400ae084ca05c7e2cefe70b8ea4910b6196d969ae516b9d5d1c99bfe5 |
166776 |
10742 |
Bad Opsec Defaults Sacrificial Processes With Improper Arguments |
Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
53f67594c85a67cef198b525b556658fa4e46d1e49901472adbc8b7f0ba475a8 |
164944 |
5577 |
Disable Microsoft Defender Firewall via Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4d91cff1255532aacd25d7b82261d545afc7d30837d1643a0dd2c4617aec5865 |
160592 |
41330 |
Remote Thread Creation In Uncommon Target Image |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ea7ec9e92c165a4cef023fd658ef72279f03378ab53f4481eb973ecb2171b193 |
150989 |
1123 |
Suspicious Process Start Locations |
juju4, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7776601555567f764fc3e22722bef1fdde521b5bdff9fff38f9031e9a3f7ce54 |
149055 |
85 |
New Service Creation Using Sc.EXE |
Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
9821e08a6d71e81d42d38e95e4265f2df05a9e00e70a874249d812f403a8c789 |
141341 |
1082 |
Suspicious Call by Ordinal |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b7eb83db20f6f8b5f580e107c2b6816110a31869a94de5e2797d917335d9fbc0 |
138538 |
90830 |
Classes Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
acb1ec4240103205f334c8fe26431568a458950f7b86b59652440e1de4dc0449 |
131723 |
4238 |
Suspicious Schtasks Schedule Type With High Privileges |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e36b579d4bc4ef49ede1d82dd08ec1cba660d105c6f037d12ecf79b434617e88 |
128148 |
3710 |
PSScriptPolicyTest Creation By Uncommon Process |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d6ff8dca8c8ea9fa750972dd032542746369179e3aaceccc1c3f2cc2a35f5d25 |
127698 |
2864 |
Stop Windows Service Via Net.EXE |
Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5b84c64b930b911c8206935d6c61b2a128347a34d495da3ea3523cdf5397c3ef |
125541 |
35021 |
Suspicious Process Creation |
Florian Roth |
SOC Prime Threat Detection Marketplace |
f09d5248ed8fc1a93251158bfda71f8144ccaf37fa922416ccd897498bff7c55 |
125405 |
3415 |
LOLBAS rundll32 without expected arguments (via cmdline) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
2fd6d2b16365ba7157eee4934b406ac7d530b4ec62cc1b45c69ee4f07989f139 |
120420 |
6949 |
Communication To Uncommon Destination Ports |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0cbddc72cfb3b9426508057fbe3e7b0ed88990983f04ad15f9685e585ce7ae66 |
114782 |
702 |
Rundll32 Execution Without CommandLine Parameters |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
87574dead19ceb246e10ccb4cb4fd5009c71c46de0d77965d2170bfafc2c3b14 |
111007 |
1146 |
Powershell Create Scheduled Task |
frack113 |
Sigma Integrated Rule Set (GitHub) |
60d527fe5a592cbe8e98428d1412743b909d5625ec8bc91d20e8b6ee8b36db20 |
110205 |
37923 |
PowerShell Initiated Network Connection |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b5e9f310ab6a8611ea1b7b788e712f0f6bf452c3092675694cf6256931874071 |
110194 |
36660 |
Schedule system process |
Joe Security |
Joe Security Rule Set (GitHub) |
02b55b29ddf740930b68c311ca7cd59354f8c35ceda86d09a3fb06f08b760857 |
108896 |
223 |
Potential Persistence Attempt Via Run Keys Using Reg.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
aa87efb252a9cf7bb1fb0114336bd08c338bc9046dd498d187c209cd94ddbc6a |
108639 |
2537 |
Suspicious Add Scheduled Task Parent |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
66d80afb92c9db3881829096827fcacc7b8a697c3ceeb3318163ce83367f394b |
107513 |
2706 |
File And SubFolder Enumeration Via Dir Command |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7752bbd4e940ef58081260cfa45b4ac6b149e2cecb836d79f5e61bfbdc237105 |
106817 |
9697 |
Displaying Hidden Files Feature Disabled |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a264eb1ecc5d771f6348e8cadd3e5508323440b132da9cd70e3c579354eb50b2 |
106167 |
98 |
Suspicious Double Extension File Execution |
Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5ead81ee12f2097316af35270a1ac0f8623db054349c52ef366fc42a4b7d2de2 |
102683 |
108 |
Suspicious Windows Service Tampering |
Nasreddine Bencherchali (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
941abf5111763a135c88b4f6437475eb4c99e8d4c3ebdb4b74e30321695b0fa7 |
99279 |
8594 |
Office Macro File Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
27801b0f98df1ce7686b07b693c59e734c47189ef3db24ea1093f6f00ff2ed67 |
97420 |
73625 |
Suspicious Script Execution From Temp Folder |
Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
96d2c399118cab5d249093badf4a85f0ef1889872b0191bdf131bcabc0994681 |
97196 |
13553 |
Python Image Load By Non-Python Process |
Patrick St. John, OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
433ecdf8469138ce151b9e283d8e892c2aaec8d0aa9a1f631efac7da11cb1ba8 |
96458 |
6996 |
WMI Module Loaded By Non Uncommon Process |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
fb092b3aee3feb316c048a1249e1ac9639a63cac318318afd45bf38887b31b0c |
96217 |
11031 |
Disable Windows Defender Functionalities Via Registry Keys |
AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
387844917f76d926b5dde6a796bcdb423a54d6df4ab736e7752fb73dc931e400 |
96059 |
725 |
WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript |
Michael Haag |
Sigma Integrated Rule Set (GitHub) |
8b884f70bb47a8e06faf8f548fcfef77fe3802d22c310c4cdfa01f35cb030bac |
92372 |
21445 |
Potential Product Reconnaissance Via Wmic.EXE |
Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
04969458bf2b005665d6b29fa937ccdfac26516eac5746c80ed78581033094c3 |
92241 |
3205 |
PowerShell Module File Created By Non-PowerShell Process |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b8c95f5909e68be942c69ab250a3b47557e33b2d1d582cd72e665210efeadb8f |
90059 |
290 |
Floxif Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
98d1e74d54870538bf25e55522e0e31814ceaa32679120ff66addce78f4c461d |
86549 |
1849 |
Potentially Suspicious Desktop Background Change Via Registry |
Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ) |
Sigma Integrated Rule Set (GitHub) |
5a6c8cc8cab203cf6f2333e64a60bd47d75fb197ebae1de9ed494061e525a58c |
86282 |
149 |
Potential Dropper Script Execution Via WScript/CScript |
Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2020feadc9b3cf47558c219948361d9d3eb5347af91135f21bf711f6032bc817 |
85982 |
21795 |
File deletion via CMD (via cmdline) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
f9333cf120369debd56e4e238fffa10bdb2a1497c11e08a082befd02f9f3bdf2 |
85279 |
36058 |
Set Files as System Files Using Attrib.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
62ce96b648991749ff9b9ccc7dafa1d8da64d6490e9f469683f00fa248ef9336 |
82439 |
1330 |
Winrar Execution in Non-Standard Folder |
Florian Roth (Nextron Systems), Tigzy |
Sigma Integrated Rule Set (GitHub) |
99b7b3abf0ce8f702d10cc3f120ed16591df3c13fbda30b46e0623d93cdac439 |
79823 |
13709 |
Net.exe Execution |
Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) |
Sigma Integrated Rule Set (GitHub) |
f1048c602439313e72f67c634350106ba7b709512529457a6f0a5eca6835bc89 |
79558 |
13720 |
Self Extraction Directive File Created In Potentially Suspicious Location |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
af7095d7af79bbd5d71771ff686f1cfff97b7c8e0f56cb180a29d9eba0df9b1e |
79459 |
57 |
Chromium Browser Instance Executed With Custom Extension |
Aedan Russell, frack113, X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
37d47e5fc375cac096ef3e0d98b28b26d7e9e45f3b65373c8e1d5bb6d8e22b7e |
79312 |
30755 |
Suspicious Run Key from Download |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9bc88dec9bf37149ee55ca532e26602ba2ef11e86aa846ab6e0e461f12768b4c |
79249 |
861 |
Read Contents From Stdin Via Cmd.EXE |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0db9fba426142aca003830de31e38a7318ed0a3a299852f6bc4cbe8bc905515f |
79053 |
1342 |
Disable Internal Tools or Feature in Registry |
frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec |
Sigma Integrated Rule Set (GitHub) |
86c36bfac526414900d3b4c6f66d0b7bb2cf11a511b7ad65c486685dc8d4d05f |
78031 |
487 |
Windows Binaries Write Suspicious Extensions |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6676ee2bf136155325337ad27ca431e57ff815b4fbddfaf94908c8ae566aa5b6 |
77356 |
2304 |
WmiPrvSE Spawned A Process |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
1429a6819ff25aad68fb09601fb0b63c4be24919adfd25c4ad925ef8d47d8f22 |
76962 |
92 |
K8h3d campaign (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
2e5a93340aede0794b671d3b3d020fb719a3985e78a96970d36c5c326f2fef34 |
76031 |
16930 |
Unsigned DLL Loaded by Windows Utility |
Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
683818f24875a562c0b792edd4183d333b6b0b284ca8a88cc47fb2c9ae5b1473 |
72592 |
23434 |
Windows Defender Exclusions Added - PowerShell |
Tim Rauch, Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
cf863dff3d564c975d28d336cb7981fcd6956e6fb9afbd2794f600b130e83171 |
69453 |
831 |
HackTool - Windows Credential Editor (WCE) Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8c09b5d8aeac44d4ad6b76333ab77edf4453d9c7f7db00d879591acfc9f98479 |
68694 |
16 |
Hardware Model Reconnaissance Via Wmic.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cfdf6fdaa1841541e46a9c7701402dd4782cd08947692cfdcf86532c87ea3dbc |
68662 |
2427 |
Suspicious Execution of Taskkill |
frack113 |
Sigma Integrated Rule Set (GitHub) |
cd06da2f3978bdb24b3f3c8f83c7df917a910c6b29921d0e375e418f340d8f3d |
68186 |
9888 |
Rundll32 Spawned Via Explorer.EXE |
CD_ROM_ |
Sigma Integrated Rule Set (GitHub) |
63bcc6f98c4a5594772428a329b433392d70f18a841926328607f303f3d782a5 |
68043 |
791 |
Potentially Suspicious CMD Shell Output Redirect |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9312dc563b7e9a010a22b457fb7cd94e9c686b75dc20fcf8a10236dda0e5e2b4 |
64556 |
4712 |
Usage Of Web Request Commands And Cmdlets - ScriptBlock |
James Pemberton / @4A616D6573 |
Sigma Integrated Rule Set (GitHub) |
6291f85314c7d9966be831c56d3cdfb30f42c84f599273e73dac5c95e1122abf |
63890 |
10085 |
Oilrig |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c01baa2540aeb8f23c067318100db0ab3618e37acf7e219372e750398969c606 |
62415 |
36263 |
Hidden Tear Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
6416d92c1d6493914510053de27fbb52201520df66cac075111034d37aac4194 |
61984 |
24960 |
PsiXBot Malware behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
63753d667c596fd59cca6de277c7a4f8062dd47fb2ae19a1efdda0cbb8d7692b |
61973 |
24950 |
Orcus RAT detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
870bd93000dae7789508610f80cf9f2862f3b3e9fefec9b3cba32617a75799cd |
61970 |
24950 |
Swisyn Trojan (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
173f49a095aef2bc0480b5f8a8ae6c2d0e4125f9096d618a3865346b34d726fa |
61887 |
121 |
CurrentControlSet Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
5bddd3dd0944d27f3ff8b03e8a8a01f5a9d14540ea1779da5683fe601557a364 |
57885 |
1221 |
Dot net compiler compiles file from suspicious location |
Joe Security |
Joe Security Rule Set (GitHub) |
76e8bb8877ab40bd84b14fc93daffe9ff7ebe9440ce09916b5c63a302d62c918 |
57328 |
14959 |
Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location |
Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c01e7ec6f86a4d6c135bc43d1a4e4a012bf97c07c8bb4238242fe32f06ea6d09 |
56801 |
183 |
Automated Collection Command Prompt |
frack113 |
Sigma Integrated Rule Set (GitHub) |
511fcd38b1cd4057f3b3568707032548bac72899a4b3c932f3614c6d89d417bd |
55873 |
10 |
Potential Dead Drop Resolvers |
Sorina Ionescu, X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1aa956a1fb5e5e7293864d3c9941d7469eae4a2c837614bdc2a6a741671526ae |
55224 |
2422 |
PowerShell Web Download |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dac677b84d14788387f1c92fd6733396974f070639fca6be1bbf50df44b426cf |
55041 |
9607 |
Dynamic CSharp Compile Artefact |
frack113 |
Sigma Integrated Rule Set (GitHub) |
764276dba9654bf07d000fa390ae98de360ac172927cf3ef64f2db6c5b9be3b2 |
54262 |
7703 |
Office Application Initiated Network Connection To Non-Local IP |
Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
cfd44c3835317e846b18021a9060f4b9b011294ec53eb3ac1fad568abeb37922 |
54151 |
46931 |
LatentBot malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
f5653d51811614b162ab7311b24033c85bf166bbc322d83f4f72d0b9a366a01f |
52204 |
19572 |
Suspicious Execution of Powershell with Base64 |
frack113 |
Sigma Integrated Rule Set (GitHub) |
eb75f9de2201bfad4ef177dca85b0b8fa8e5a86ba2357af5301f72acbc5eb144 |
50868 |
1029 |
vbc.exe execution. |
Den iuzvyk |
SOC Prime Threat Detection Marketplace |
7f5e752d29abb27ef7222f5171fe6719092aa64cb1a11187e75e3efd277216b3 |
50282 |
159 |
Use Short Name Path in Image |
frack113, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
a913250de417b0235e4fbff14e07a25585d216d2000ee8ef314227987aef7eb0 |
49811 |
11969 |
Shade Ransomware (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d8f0141497fc47a78fbf41591174881fdf0e85f2937b08befec5c6273f8867d2 |
49059 |
160 |
Drops script at startup location |
Joe Security |
Joe Security Rule Set (GitHub) |
196a9c9222e3b003ccb0caadc29931d851129ba863f99545299786a032864d12 |
48898 |
392 |
Hiding Files with Attrib.exe |
Sami Ruohonen |
Sigma Integrated Rule Set (GitHub) |
5c3ea6806114163b8cdf5735aeb07e702ab63e0e486f721df84cf675e2b0a04b |
48581 |
840 |
Direct Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b5f76af9d8101930af8d4fee71f3a5395b47eff6bb88e581db02bf890242d79b |
48457 |
2449 |
Suspicious Executable File Creation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a3e8f1f39ee9f212f863aa80fb48e783e942fa1db242be073c5647888fd6b094 |
47056 |
897 |
Run Once Task Configuration in Registry |
Avneet Singh @v3t0_, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0e31671617efd7f7d79bdc60259af085a8ceadd59619e28e3f3d57d90ed1501d |
45177 |
122 |
Modify User Shell Folders Startup Value |
frack113 |
Sigma Integrated Rule Set (GitHub) |
0799d32e125d6df849ced4dc75e232438c118a816477d3f80a390cbd8b4d07ef |
44681 |
81 |
Suspicious DotNET CLR Usage Log Artifact |
frack113, omkar72, oscd.community, Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
d3c65dba4df23fb384d566a6730f08957cd6e906ab86db5a042c01a5c4258230 |
44289 |
21118 |
Change User Account Associated with the FAX Service |
frack113 |
Sigma Integrated Rule Set (GitHub) |
26eb124f6709979c69bbb0025f3a401c81cde2ba2f83098c32504f896490fc2d |
43774 |
0 |
Usage Of Web Request Commands And Cmdlets |
James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
f92451c8957e89bb4e61e68433faeb8d7c1461c3b90d06b3403c8f3d87c728b8 |
42835 |
7693 |
Sysmon Configuration Change |
frack113 |
Sigma Integrated Rule Set (GitHub) |
953121a751fbc01b581e57dfbcfb08d3f714fa9df54e4180dfb7564c3b2e3153 |
42786 |
15957 |
Potential Binary Or Script Dropper Via PowerShell |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bda626dd3bfb65bcce23cf31a18f15b58628dc48b2bb5cd9fe5f9ea5f9a3cc8c |
41986 |
2290 |
PoetRAT detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a9e98f5066d90fefc6c08a2a98baaaeecc9dcfccf65c96170128a898353b6d50 |
41725 |
30413 |
Suspicious Non-Browser Network Communication With Google API |
Gavin Knapp |
Sigma Integrated Rule Set (GitHub) |
6094a7d0c599a4dfac3b49ed5776afacc4a66b1a643b8aa31dce51c8f32f8704 |
41217 |
27453 |
Use NTFS Short Name in Image |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
53658db80063ea16a40c90c24fa4cdb4a146dec6685cf48c0167318df2cbe20f |
40762 |
4329 |
New Firewall Rule Added Via Netsh.EXE |
Markus Neis, Sander Wiebing |
Sigma Integrated Rule Set (GitHub) |
7b1f3cd9ca9b55feb5fdd5c8e1821348f2d78745282b41055af44f88df612112 |
40392 |
2580 |
Regsvr32 DLL Execution With Uncommon Extension |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c0cdd12b4805f2aebecbc0415332f2594acf1ae6d8d82da086eeac9a84bf0c37 |
38653 |
4062 |
DropboxAES RAT (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
8c558244a29064b6842314ce986116d2007b1087f6f8bb45ae883911d0155549 |
37828 |
15876 |
Windows Defender Exclusions Added - Registry |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
795fba906ef1026c4e4d4ae583b085f3f640182a288987bf4d43695ea7e62992 |
37701 |
181 |
Suspicious desktop.ini Action |
Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) |
Sigma Integrated Rule Set (GitHub) |
cdd5a8ff564f3632d9613d1f4925baca8be40a01fe14c7ba3e30f51bf1ff3829 |
37487 |
1500 |
Scheduled temp file as task from temp location |
Joe Security |
Joe Security Rule Set (GitHub) |
90af0ea1f6d871f169dfb41b18545bf456f980c5d75f60f1293c34f071f6a31c |
37385 |
198 |
Amsi.DLL Load By Uncommon Process |
frack113 |
Sigma Integrated Rule Set (GitHub) |
839b8da98cb18a93a4c803f0e372af5098133357d4e2c35fd9f75cd01bbd43b1 |
36948 |
3931 |
Shell Open Registry Keys Manipulation |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cd6c2801be2f14154f9616435303948eacedd79025bd0646cb3c34bb536b7cab |
35788 |
42 |
Stop Windows Service |
Jakob Weinzettl, oscd.community, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
9afc79c8a56e6e5c4cbd55d203a7dce8efc4ed28aa315b736c842a88b1d3dd0e |
35371 |
4829 |
CSRSS.exe spawned from unusual location (possible mimicking) (via cmdline) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
c3e407003db6c8b95e5a7dcbea08bddf8b53b265400c2feb32abfa523336257c |
35152 |
44 |
Registry Disable System Restore |
frack113 |
Sigma Integrated Rule Set (GitHub) |
39ac4b0484423463b1d746fc5446062ea1299bec08a2dd2bc058efcd9c06f2e0 |
35063 |
18 |
HanaLoader (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
38853c8efaf750ffd744961ebcbeb037146acaabb9ca85c445af59f87e98e44d |
34827 |
13642 |
Uncommon System Information Discovery Via Wmic.EXE |
TropChaud |
Sigma Integrated Rule Set (GitHub) |
0546c2d1b6847c71b54cd4de2f5363edba0cdf02eb90da287ec9c110d3c4af30 |
34606 |
564 |
DNS Query To Remote Access Software Domain From Non-Browser App |
frack113, Connor Martin |
Sigma Integrated Rule Set (GitHub) |
210890087c5c0874ddc8155130ae1218d789f501e70a75ad47c71bbbc76004af |
33406 |
9332 |
Suspicious PowerShell Invocations - Specific |
Florian Roth (Nextron Systems), Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
7d262d8417cb03b2a9d2b935ae55980f22abc3aa7cffc36e57eda761068226dc |
32975 |
479 |
Script Interpreter Execution From Suspicious Folder |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
92acfd50d9fe4d995d6998a5346e4e031ea037d422458bb4f74555a52ffc886c |
32298 |
5522 |
Suspicious Network Command |
frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' |
Sigma Integrated Rule Set (GitHub) |
76a1e5bc5c7d4b95d8c382b4ecefb6a628ea4fba6cbf029fbb3cc32d36dcce57 |
32036 |
4134 |
Tamper Windows Defender - ScriptBlockLogging |
frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c14e1f7f13c2bd7f209d1a9b75c7c313606e7e245601bf31765f2770c858ce09 |
31858 |
207 |
Windows Shell/Scripting Application File Write to Suspicious Folder |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
248820e948efae04f89b524348c8398f0b278befcaec4fafddf73e9c5dda0353 |
31724 |
328 |
Service StartupType Change Via Sc.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b55af83c751d2c7bca8dbba245a97017e34109bff34fd50b02f60a91111ea703 |
31443 |
4800 |
Suspicious SYSTEM User Process Creation |
Florian Roth (Nextron Systems), David ANDRE (additional keywords) |
Sigma Integrated Rule Set (GitHub) |
d0b906c9286d892a8434845afa7551135e37841bdace5aa7fdf1c6bd9a823c73 |
31306 |
204 |
Compression Utility Passed Uncommon Directory (via cmdline) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
f4fe24c510771cfebac8ea12b6e86858e92ee0807f17f8dd0e23e2dc5e1b8049 |
30633 |
589 |
Start Windows Service Via Net.EXE |
Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3edfb66bbbe5056c7df0064ed6164a68632d8d476ab015091e0e33f5159d9052 |
30301 |
5864 |
Windows Defender Real-Time Protection Failure/Restart |
Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' (Update) |
Sigma Integrated Rule Set (GitHub) |
300832dd5414e83d23f6791c1f960c07191eea49ca183cc0ce1230b6c777f565 |
29836 |
16334 |
Dynamic .NET Compilation Via Csc.EXE |
Florian Roth (Nextron Systems), X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b39586c79bf4d0d43c937efa6129ebb6f0b2cf03b7038a3a8234f84c147600f7 |
29572 |
4544 |
Use of W32tm as Timer |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c36744b5f28fd16a3d12551b5ab3040cda78b8771cefa8acaf2dbdd269e4af2b |
29049 |
3849 |
ADS Zone.Identifier Deleted By Uncommon Application |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
43c6ce8bdbd683e1a7f4fb9b49a3a8236621ff32e67fdf0987c5770097ef376c |
28493 |
3577 |
Process Reconnaissance Via Wmic.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c64577166c54aa12e6fafe9322a15fd35e2e359c52a4b545c470853d848557ec |
28415 |
2114 |
CoViper Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
17affcf8751489416a8bdd1c7819271220bd9bdd11f595b644b2966c3e3b1b80 |
28395 |
2056 |
Potential WinAPI Calls Via CommandLine |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7d53de0fb9c4ee79b8ab06605cd3a8faaa400a586d577c9a7d692f059a3ac78c |
28240 |
17177 |
Capture Wi-Fi password |
Joe Security |
Joe Security Rule Set (GitHub) |
2e31c80fe0affb3753d7456883282043c5795a0abd5906589d7b67f0eb04076e |
27997 |
452 |
WMIC Loading Scripting Libraries |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
022ee32433f415a35cf214d689b7c20ea4d29ed50a5be04595877663d8128997 |
27648 |
1699 |
Suspicious Volume Shadow Copy Vsstrace.dll Load |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c79aa27a6bc774dc430e35f8d05d743b7bea3638a8776f9e8c3ba8f7188a856a |
26460 |
7609 |
Suspicious Startup Folder Persistence |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3396956bf20db86e217299b41f051d8e3807a72f92450b595e46cc0a7e70800b |
26369 |
375 |
Dllhost.EXE Initiated Network Connection To Non-Local IP Address |
bartblaze |
Sigma Integrated Rule Set (GitHub) |
0469df5507574c65082f62410c1cc9e493ba1daeff82396b38a60516c6f4187c |
25692 |
5058 |
Suspicious PowerShell Encoded Command Patterns |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
12273189dbbd1ed526c045fb9a7d5e45682ba4e0a13e2e94d65376962a0bfc2e |
25639 |
348 |
Registry Persistence via Service in Safe Mode |
frack113 |
Sigma Integrated Rule Set (GitHub) |
876ae5900040fc2ad5fd69d8477e94869d5e147f2af5c4456d0b099844c20bb5 |
25576 |
5831 |
Msiexec.EXE Initiated Network Connection Over HTTP |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4a7e3b52f438365db6b61867f157e3bc434b40fb9916eba681bb857e7a1041ee |
24920 |
11856 |
Sakula RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
1c2774ed7c4cad91219d007aa7101b09d19b442613cd2e3fc453726a7abd1b1a |
24816 |
11 |
Remote Thread Creation By Uncommon Source Image |
Perez Diego (@darkquassar), oscd.community |
Sigma Integrated Rule Set (GitHub) |
5242ae9a7c0bb9967f443e598ba4d27edfa69ca76b6fbb7ad0d569f7e9067668 |
24646 |
86 |
New Custom Shim Database Created |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c028d3fbfe3db756b5129f320616cde63b9929b02e91fb76c1b12fb726eafb71 |
24565 |
52 |
Explorer Process Tree Break |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber |
Sigma Integrated Rule Set (GitHub) |
d44e9b6572a6737a34b18fd89f757237729293ed9959e5be7dd05d63e7f78622 |
24541 |
1981 |
Suspicious Add Scheduled Task From User AppData Temp |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a219a0bf27f7f5f1acdc1fbdd83ff3d3f3711edd5b8111b967d8eb1575aa3b85 |
24196 |
146 |
Potential DLL Sideloading Of DBGHELP.DLL |
Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) |
Sigma Integrated Rule Set (GitHub) |
601376b375400e92dd2beb3ddd52c4c8151878f99ed7a406718b7672b4e3722f |
24164 |
3952 |
Computer System Reconnaissance Via Wmic.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c8e910a6a612d2b2556bdcc91dfca15a43385b8571e490ed29c46ef1a3e5e144 |
24078 |
2208 |
ChChes Trojan (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a515be8db5d265bf43ba29f21c53f4e482fa0f7db4acc10054e85bc0c516a7ba |
23602 |
2637 |
Suspicious Execution From GUID Like Folder Names |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
08e7088e12bfe2fa4d351a66754c13a0aa7ea7b70fb40c21ce782ac7321e54e4 |
22917 |
13212 |
Suspicious Tasklist Discovery Command |
frack113 |
Sigma Integrated Rule Set (GitHub) |
54b43d3a279bdcbcca22abf416f8b57c691f2c84a9363507162ca472e30ab902 |
22497 |
4402 |
Suspicious Scheduled Task Creation via Masqueraded XML File |
Swachchhanda Shrawan Poudel, Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
b0f576aead127b964909d75f26e113ee55e88fb8d2bac31fe4a5c12337b4f327 |
22346 |
228 |
Powershell Defender Disable Scan Feature |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
452d2469c7cd2c2065eaf39a671afb28d62803ea89003d82491c0e02559fcb9d |
22334 |
90 |
Execution Of Non-Existing File |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d2b7b95657238f7c078b9a6a17689a6184c1cf349ffb183b174ad2bd84681b08 |
22242 |
1393 |
Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
98a4dc6e84bd2b7671587aaaaa8a8ae8fdd2f8d8880705d12e11f767c77df7c4 |
22115 |
437 |
Powershell Detect Virtualization Environment |
frack113, Duc.Le-GTSC |
Sigma Integrated Rule Set (GitHub) |
6e1823de286f8bef414c648f5738bec3bd40700cba3765da26e6500bc2d8e387 |
22097 |
4229 |
Suspicious Eventlog Clear or Configuration Change |
Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 |
Sigma Integrated Rule Set (GitHub) |
b8f19be4c7bf862dce0d4d1f7885f2207ddf93b3a33d8a6e16f3968c4fbb6491 |
21936 |
3928 |
Load Of RstrtMgr.DLL By An Uncommon Process |
Luc Génaux |
Sigma Integrated Rule Set (GitHub) |
7d0d3be8fa405f5e34c2e0cf9eaa345cacd60eb5244b50b23dc54c4785bc7512 |
21850 |
3323 |
Suspicious Encoded PowerShell Command Line |
Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
09a6527b05920e47aecbebf5df306d1c194b850076e73d74c3b9ead23b654425 |
21657 |
261 |
Powershell Suspicious Win32_PnPEntity |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7cf1e08df2c1e71b9ecbab0ba652d8d7adc890f53db8c630b859d32064f3eb3a |
21506 |
3651 |
Cscript Visual Basic Script Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
140aa55cb94f2ee1de560a395631283b557b8f771117a7991289298e2c6e7f6e |
21446 |
3633 |
Net WebClient Casing Anomalies |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2b81c8afee92062579f4f19ea901c1194542107857913a32a13108debb721c71 |
21433 |
222 |
Potential Maze Ransomware Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d807dbfa78ad565695bdfaa5793858aa25a153091a49b554975f48182344c78f |
21193 |
0 |
Network Connection Initiated Via Notepad.EXE |
EagleEye Team |
Sigma Integrated Rule Set (GitHub) |
eebf53f371a18d7f8d6992a935d2fbfe811f3d78552949a0597456693cffd553 |
21043 |
4 |
rundll32 run dll from internet |
Joe Security |
Joe Security Rule Set (GitHub) |
232de5bd44720ce2fb34b305f8385e685f63ee5e14d8845368072b2fa100a5f6 |
20926 |
15145 |
Suspicious File Creation Activity From Fake Recycle.Bin Folder |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
51a5b51db51679c45a7aea23d8e25f242e096a01ad35754b45acf5da3ec98440 |
20735 |
28 |
Windows Defender Service Disabled - Registry |
Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
5800379600db7e280b56236f291d8f474f097bed4c21c02367049347a8febc40 |
20338 |
93 |
Root Certificate Installed |
oscd.community, @redcanary, Zach Stanford @svch0st |
Sigma Integrated Rule Set (GitHub) |
aaa442da8065368308d21225f195c966f7aacd66f4a7703b37f095739a0752d4 |
20287 |
3519 |
File Download From Browser Process Via Inline URL |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d67139d73a6d7369e526a363923c3f504c081ba52a8f8556080f518c4302090f |
19815 |
4592 |
Office Application Initiated Network Connection Over Uncommon Ports |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
338327c7da2a9fd3fa20080c302384046430050cf2eb53403c7334a8bc26da19 |
19747 |
14311 |
Suspicious Volume Shadow Copy Vssapi.dll Load |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e3c2bad5a5af60244d315d33a3dc0534c602553aaeca2a895ba4ef848a637abb |
19679 |
5322 |
Suspicious PowerShell Invocations - Specific - ProcessCreation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dc48d8314d305b4c97b9f813958e20738bb989b83928e70ea811bb7c0bf7e197 |
19588 |
276 |
Suspicious Process Parents |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
339db70fcafbc2231425e99a4637ca5513d5eadd2f7807a2ad8bc9123ec81129 |
19192 |
22 |
Suspicious Windows Update Agent Empty Cmdline |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bfc362a89797a5fb7c7a15aee27b5c62127fff278db59f8dad27390ea34e3e1b |
19185 |
21 |
Potential PendingFileRenameOperations Tamper |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3b132597acd67d1315d83f5f329eb2db40a281a5c93df8881e681ba8d6af5a59 |
18813 |
9195 |
Startup Items |
Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
80c9078b4f0a21412506961251c7253e037afc83c8a88cd362377082d1efaa30 |
18720 |
16310 |
Potential Suspicious PowerShell Keywords |
Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup) |
Sigma Integrated Rule Set (GitHub) |
a5f575ade1f2aaba452086d3418d8a893e94b28e30da42ad98b58df4a4fe9c2d |
18359 |
514 |
Potentially Suspicious Rundll32 Activity |
juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0d7b38274ada42870a9b5fe59433cc701b21c18ef543b8c653d2e5dae0f93c0e |
18153 |
1478 |
Windows Shell/Scripting Processes Spawning Suspicious Programs |
Florian Roth (Nextron Systems), Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
80bbf1ed6106205ab2926430c9634286f976b2fee4357dbacddec45b979a4422 |
17920 |
622 |
Suspicious Execution of Systeminfo |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f2a81aa24c1d19a09711179a71cd58fe057ab277cbef8632cc6a9281d5cf87dd |
17884 |
1445 |
Potential System DLL Sideloading From Non System Locations |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e4b059c53908c7008669e834c3c05ad45881842235e14670eb30e91a8df736d4 |
17433 |
6034 |
Execution Of Script Located In Potentially Suspicious Directory |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
444cf775e51f1f48a4f280cf4a392d9fa3244628404c303864ad4b00325530c5 |
17413 |
10437 |
Sysmon Configuration Update |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
63576d1c84436ef61b9f2631071146cbf42394a36c3e1a2d0ce83bc2e7b2fcc7 |
17355 |
7966 |
Access To Browser Credential Files By Uncommon Application |
frack113 |
Sigma Integrated Rule Set (GitHub) |
74ea3fde96df11352e7b3c70bce437f83f170b5677efeb447c7f33d001142691 |
16956 |
452 |
Hacktool Execution - Imphash |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e5df091eea8e09dc9859059928ad9ae436f75c7bc67be324d1582e24fe627533 |
16491 |
46 |
Imports Registry Key From a File |
Oddvar Moe, Sander Wiebing, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d17374b215c7dec3cfb7a7588c3e1ba10e710be57c03928275fcfd3c65bd187b |
16154 |
1117 |
FlowCloud RAT (TA410 Campaign) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
159df9b8abe4902ba69f24455a788a64edcec473e20be350469118e1c586299d |
15824 |
1069 |
CLOP Ransomware detection (Sysmon) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
94b16fc40ce61b0527bd124b84d6a631649e579c2c571a3dc68d4f0f9ee4aa76 |
15622 |
5417 |
Suspicious Chromium Browser Instance Executed With Custom Extension |
Aedan Russell, frack113, X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5511a10e5fd658ddc15e8b7fa4c8cc7cd60289f6e54d703f50a9f3a8134ab796 |
15446 |
2482 |
Potential MsiExec Masquerading |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
709fa572c6d4a06b81742c9cefd264b1debafc1f9b2aedc9798d5cb749d52458 |
15323 |
192 |
Potential In-Memory Execution Using Reflection.Assembly |
frack113 |
Sigma Integrated Rule Set (GitHub) |
912f22774b3e6d5ee33f034551a616aae59ae320fe812cf9c2010432ca80df77 |
15179 |
1237 |
Unsigned Image Loaded Into LSASS Process |
Teymur Kheirkhabarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
41a3e620fba7b86366fe885ba1b20dbaae2be7596e2e9b194ab65dae5e4a7b53 |
15047 |
25 |
Suspicious Program Location with Network Connections |
Florian Roth (Nextron Systems), Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
01b1cc2515aec2562e5e8cd3c88a60677a1acd2d680b289cf67fa493abe433d2 |
14925 |
845 |
ServiceDll Hijack |
frack113 |
Sigma Integrated Rule Set (GitHub) |
fb1acd0dbf62447f03607a7716d5d6bd489403a486bd8807beba004bab482bdd |
14884 |
645 |
File With Uncommon Extension Created By An Office Application |
Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5c100e376f43b26c0279b6ecab437d35499a64f73cd9c1b180f62e840eebd2a6 |
14880 |
199 |
PowerShell Download and Execution Cradles |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e88280a32f81c8575c3cb9b02910d867498fbf28ca75ca922ad991faa3a68879 |
14876 |
394 |
Access To .Reg/.Hive Files By Uncommon Application |
frack113 |
Sigma Integrated Rule Set (GitHub) |
14975883a22bbc5b0ee6745b2bb5cecf6a97d5b3bc38e7550a98401292959bc1 |
14837 |
6986 |
Pyvil RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
1b78637b79c8dffe83e4631ca8812c2cab4799547d30fb65df21e42f1894053f |
14809 |
6648 |
Suspicious New Service Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2e9fe41f275cf8282c3e18ce1605f533249acb7b3762d23c128bd0febd22a085 |
14662 |
2412 |
Script Initiated Connection |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d2ba63dcfd40541d69308865939969a6282a95c29b46e0eaeb0c39701b6aa2f7 |
14589 |
1104 |
Nymaim Trojan (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a9d7fe3dd2aa50123d54b48a488447b37091616c00667ae7c459bf19dd1ad2e0 |
14561 |
24 |
Office Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
0533bf39f662d089d6f317f51a9329a2865ffc0d84552c58c39a8d35672474a4 |
14545 |
9816 |
Script Initiated Connection to Non-Local Network |
frack113, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8d980d509aaf7ca8f2c6cd9dd23e8ea6eb18328ca64711cb6e059ecec024fe0a |
14460 |
1078 |
Suspicious Curl.EXE Download |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d86dfee683d0e96803dc8a153d15f7208afc774045e2d885ccaec10bdcef7831 |
14439 |
2580 |
Local Accounts Discovery |
Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ec63f6d5ea6cf1a23c7c491b28d6b350219d23a95ea95516ce0256730fb7912c |
14093 |
2939 |
Potential DLL Sideloading Of DBGCORE.DLL |
Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) |
Sigma Integrated Rule Set (GitHub) |
fd3370668fc80cce04ee89dae971b4c8e5395a5e40e431348a67c8a75b708bee |
14078 |
863 |
Use Icacls to Hide File to Everyone |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2b816898a4d295bb7523cf3cf83af84a641b8f2a145e2ca8b12cdf2ac8193a13 |
14036 |
42 |
Msiexec Quiet Installation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
269369cff6a753f9bd7a50d72f15b83a86911e2d6d46e1a38561ac385481c372 |
14032 |
5054 |
A Member Was Added to a Security-Enabled Global Group |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
ba8140e5173f7647dc01d2d1aae82bf84283f52c7aece9e9a61f7f5e75ffe53a |
13933 |
533 |
Network Connection Initiated By Regsvr32.EXE |
Dmitriy Lifanov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
dc313eb40a68f81f4e6cc8b4658215600b2bac992cb67ea873d40ba70e41b7b3 |
13774 |
42 |
Suspicious Service Binary Directory |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ecf07e5502e8c93b8a8359e6bde14af9098293d382223c0ecf59834a37cac953 |
13385 |
9 |
User Added to Local Administrator Group |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
534ecedeba777d436d37888757fcae6c00842f791bdcb6c39d8c804ab3c6a535 |
13137 |
262 |
Firewall Rule Deleted Via Netsh.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
052f94156672e1511386806889ab6346ea81a8f49f98a8610ce616ee7a9ae931 |
12927 |
3653 |
Access To Windows DPAPI Master Keys By Uncommon Application |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ec1d4770fddf21948d437ee8ade88904c7b95601bf83cfe214687e2611dd530c |
12490 |
15 |
Potential Product Class Reconnaissance Via Wmic.EXE |
Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community |
Sigma Integrated Rule Set (GitHub) |
fc6236ee6917b72dac2442d623fbec008944e69e1788346494f1f98b38acb5c9 |
12279 |
374 |
Credential Manager Access By Uncommon Application |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
24966e29f8ae02e09ad40f3d903269a0ead88427f40a35139eb4d628aa926547 |
12012 |
37 |
Internet Explorer Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
11ecb99add36c59a082a478e7c117545e6404a0b28c77c007c135739df91a489 |
11744 |
1660 |
COM DLL Loaded Via Microsoft Office Product (via sysmon) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
8f3c9743049559fb0309f2478f6d6c65e7de8ef0a27373e4c584779e3276979c |
11665 |
8034 |
AMSI Bypass Pattern Assembly GetType |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0a84db82d1740ebcf2c704e4d71ef3e033441b714135baf3b4025983a8c4e14a |
11516 |
8 |
Potentially Suspicious DMP/HDMP File Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
098155535b5f140a45c1a07ea729542903d8e4bb81674f7e3a5636d6d121422d |
11286 |
6457 |
Suspicious Msiexec Execute Arbitrary DLL |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5802db25decfb533c2f29a2580aaef6b1d4833aade450592d1dc36e256141c3c |
11120 |
7203 |
CARROTBAT Malware detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e5937a80eca18cdaa94adaf02b89a4af91bb9605d3236af13685c8b481d9b1b1 |
11097 |
2235 |
Directory Removal Via Rmdir |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d0d48610cfc4076f9598a2787593e35702aa291f3772b3678c8025aacc26c35d |
11003 |
4849 |
Xmrig |
Joe Security |
Joe Security Rule Set (GitHub) |
c9f2b527fcecda6141fde1caee187052676355bc055141a8caa6c22482fca3ad |
10992 |
19 |
Powershell File and Directory Discovery |
frack113 |
Sigma Integrated Rule Set (GitHub) |
febfc891e8c04ffe16ce1a9eaf5731b0a321cf42be5c06aed06252ec31cdbb79 |
10956 |
5232 |
Potential WinAPI Calls Via PowerShell Scripts |
Nasreddine Bencherchali (Nextron Systems), Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6c44b18934e9ddd288d035d35a258c41fce2d5f5ebafc55ff866a95fb78db9c2 |
10954 |
1064 |
BackSwap Trojan detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a5470af7af21c2bc99ebc438fe841b20ec62f530e6540dc01ce42deed3ffb1eb |
10732 |
2193 |
WinSxS Executable File Creation By Non-System Process |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b98d05d95e8a26eef6f1edf143064928002638d3a45c7a007a16c7b3bb5a9cd7 |
10716 |
1 |
North Korean RAT - BLINDINGCAN (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
6bb61b38bbb774f185f535cafe7a2fc3b848377409dde9963a571d825562c79a |
10642 |
12 |
Legitimate Application Dropped Executable |
frack113, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a323ff5e5edb2d7bf37ac8071bd7e0943ac4d50e99adf03671a8b5bb0eac5cf0 |
10591 |
101 |
Shadow Copies Deletion Using Operating Systems Utilities |
Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) |
Sigma Integrated Rule Set (GitHub) |
ad5e4d4b939797a70a9aa742d979a4742c2cfedddd663fb1a43b2795c1e6054b |
10486 |
75 |
Malicious payloads that are hidden in fake Windows error logs |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e55945cd70c0ffa247fd76996326089548147e223588b2b6aeef053c1c0ce613 |
10414 |
2374 |
Suspicious PowerShell Get Current User |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c0ad3fd3010dc41b8f54cd4f911b4bf081d2d195b0e7548cdc60ebcee9250ad3 |
10405 |
6585 |
Load Of Dbghelp/Dbgcore DLL From Suspicious Process |
Perez Diego (@darkquassar), oscd.community, Ecco |
Sigma Integrated Rule Set (GitHub) |
31e54e59e39fda87af874302c79fe8910fcd407edfed11f536cb042394e49c09 |
10160 |
7704 |
Suspicious Msbuild Execution By Uncommon Parent Process |
frack113 |
Sigma Integrated Rule Set (GitHub) |
99aac26486266b4916c883cf9ec793784cff9e6617ed361b8c47f7972a4baf46 |
10016 |
79 |
Potential Homoglyph Attack Using Lookalike Characters in Filename |
Micah Babinski, @micahbabinski |
Sigma Integrated Rule Set (GitHub) |
f311f45a27e981db5c1aff6b1880679af30210f2426d026f442a886afec6ac05 |
9986 |
372 |
Registry Explorer Policy Modification |
frack113 |
Sigma Integrated Rule Set (GitHub) |
767b140d3dd4f5df18244f9d3f3a79b259843572bf19ec0cea5f646e1f350c6f |
9947 |
149 |
Suspicious Copy From or To System Directory |
Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
de683a6054ff03b9c12e58c842648f759cfcf797f91dc01078d285e8f3f8e856 |
9770 |
844 |
Stop multiple services |
Joe Security |
Joe Security Rule Set (GitHub) |
2319d1843957b572c6e41e1d83656e12eac1e5e75f59ac1ccc309c2b00e9ef86 |
9728 |
9 |
Console CodePage Lookup Via CHCP |
_pete_0, TheDFIRReport |
Sigma Integrated Rule Set (GitHub) |
3bda98164bb253cb435c3bc30ce36f9f570b187e1481bf7feb1e9468422fd79c |
9663 |
2356 |
Suspicious PowerShell Parameter Substring |
Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix) |
Sigma Integrated Rule Set (GitHub) |
1929e853315b3b5398e0837b2b8928a28ae8eec0611ebb41efc5e6b33e78cd6c |
9304 |
702 |
Suspicious Binary In User Directory Spawned From Office Application |
Jason Lynch |
Sigma Integrated Rule Set (GitHub) |
fb4acb832d8776634f7ad5e60b2ae16c329118186cc8dcf04d1ce959185c6264 |
9290 |
9 |
Suspicious MsiExec Embedding Parent |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f46fb5682ba3b26a58530a0f49196fd4253c14c4e64dd7069f21357e3d079509 |
9006 |
3940 |
Browser Execution In Headless Mode |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
33ab0a6585e80d6608925e96cfd8ae0cbc9b1fde20f036215a29c04eff4548eb |
8971 |
98 |
Potential Dridex Activity |
Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
11ef2fbb89770dbec860f554810a4e34a33e1326589f9eaf562412ceba567f00 |
8850 |
97 |
Add file from suspicious location to autostart registry |
Joe Security |
Joe Security Rule Set (GitHub) |
ab2075510415e5fab5635dc30ecec20ea16d6bead9c4397297335c9520922561 |
8813 |
28 |
Potentially Suspicious PowerShell Child Processes |
Florian Roth (Nextron Systems), Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
2105a0eff0c693326dcb33bbdcfd768fd6c8825061ae9eb48d31703fabf241e5 |
8770 |
1449 |
Sysmon File Executable Creation Detected |
frack113 |
Sigma Integrated Rule Set (GitHub) |
89e801c894097380321f8d053ed1de87b584d895d5b7de28ee9167d1e0aa90bd |
8742 |
2852 |
Disable Windows Defender AV Security Monitoring |
ok @securonix invrep-de, oscd.community, frack113 |
Sigma Integrated Rule Set (GitHub) |
78a8ebe85ceee09aa63f018db033f8616308e95816c4f7429ba0bafe2d0995b9 |
8607 |
71 |
Reg Add Suspicious Paths |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4ed42e9d011d5674f2f07c78f41b8a2bfd742ee689b7a57fce8316e002688075 |
8434 |
940 |
Visual Basic Command Line Compiler Usage |
Ensar Şamil, @sblmsrsn, @oscd_initiative |
Sigma Integrated Rule Set (GitHub) |
5cde8271bb36c24d7ac552a1d30127f3f00a08a681a90eff12e3eac68b72bf47 |
8281 |
18 |
Interactive AT Job |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
Sigma Integrated Rule Set (GitHub) |
c288d5891a082dd1f38d14b832960d7e1b88651dc301c6985be8e66b561bf95d |
8245 |
8 |
Remote Access Tool - ScreenConnect Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4e5183fbf4eb55f1facacd3e44e6d35245f2dea793693a25f292b52509cbdb72 |
8210 |
315 |
Potential Persistence Via Visual Studio Tools for Office |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
c04f755b9283e9e31eead7707a061225ee4da75cf49c91823ff8aa1d7e026551 |
8086 |
5233 |
Suspicious CLR Logs Creation |
omkar72, oscd.community, Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
a0cf7d21374ebc3567492775f48033b67b0a81b95521f405e5be52f2950f9d18 |
8078 |
3240 |
Potentially Suspicious Malware Callback Communication |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c819b1c2210c6c76f29e7d15825b104bbd98de4d9561a6c86a8b158afd0d2be9 |
8056 |
360 |
Tycoon Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c2a677a155b0fd75d813c22a6dc0d1632310c42fafb3c2d5cb08090c75ce491e |
7876 |
522 |
Greedy File Deletion Using Del |
frack113 , X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c1c4c35f46055951f3124f8f5791b474f919c9dee2a42d1e737590c5eb7169a4 |
7857 |
23 |
Microsoft Office DLL Sideload |
Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) |
Sigma Integrated Rule Set (GitHub) |
e48472e0a390541687c6ed6e14d37175a2e2eef8a82f796036fc7d9f7df9498c |
7816 |
129 |
VBA DLL Loaded Via Office Application |
Antonlovesdnb |
Sigma Integrated Rule Set (GitHub) |
1c4b9974eadae6764e88b6287305d477f5d777a06dd5a75e4773cea197fb1b0a |
7776 |
7079 |
RDP Hijacking. Last logged-on user changed. |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
13ed88b8063438c80d6eb6c7e9aeda38d201453d83fa949f65867ced46825db3 |
7648 |
3286 |
Local User Creation |
Patrick Bareiss |
Sigma Integrated Rule Set (GitHub) |
8a5a3c45e4c0e75583d9be0aa76f935e9be8f878840cdddb49890be7a65180a6 |
7602 |
259 |
Suspicious Process Discovery With Get-Process |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b0d225f3239543a37159ba2855ee1e7972c6bff3c83ce7aed9056599f6ee6314 |
7570 |
3100 |
Unusual Parent Process For Cmd.EXE |
Tim Rauch, Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
16502dbca7468597f52d37ca5a5a0f5c904c43f0ca2b6726d890a67a63b68516 |
7485 |
59 |
Suspicious WSMAN Provider Image Loads |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
33e7351552f382831af6bf73d86054bced055e64df091f572c94e9fc9e9a2a97 |
7369 |
1076 |
Potential Binary Impersonating Sysinternals Tools |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8652ffc2b3174864b7f93e2652bbeaa97cba1ce3a0949c10a85ea086c2478680 |
7328 |
308 |
Disable Tamper Protection on Windows Defender |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
bf1de3b61466c6018ee71be3f901fb544ddb30709a256ce88ddc19444b5a1ea1 |
7296 |
1 |
HVNC Attack (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
0643197645f9051600e631515cbe8f526e02ae4556e6125c8f9bf640dcc17849 |
7220 |
259 |
Suspicious Powershell In Registry Run Keys |
frack113, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cfe58f03c01bfef6fd133a3da09440cc5613a5dbeb310ee795cc443e18538943 |
6998 |
214 |
Remote Access Tool - NetSupport Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
65cfc106cf4668ef2ff3c230ac24edd977515d2743358a7e4015e31ea26a4cae |
6947 |
101 |
Powershell Base64 Encoded MpPreference Cmdlet |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f86d8f196029958699a0b36a9a1a254d7c1bfc594fd486ee04c1e4988965f3b2 |
6920 |
129 |
Regsvr32 Anomaly |
Florian Roth (Nextron Systems), oscd.community, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
455818bf9dc4423de74cdfa396a0735e0fd29acee7f47632575decb468b11cb5 |
6904 |
1457 |
Telegram Bot API Request |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8119b0f5e55bcc32efeebba677769c41f458947ed836a43326d94ce77e2a6a0a |
6901 |
56 |
Schtasks Creation Or Modification With SYSTEM Privileges |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a9278f03bce6b217a82c054a78cc6ea5acfebb4b16cd25b7d6cd842bb1dcfd8f |
6777 |
1142 |
Uncommon Child Process Of Conhost.EXE |
omkar72 |
Sigma Integrated Rule Set (GitHub) |
7b87fbdccf3c12011b709aab8b9bd4642bd61dc9880e0e1ce9ebb9901e2a3497 |
6743 |
127 |
Oilrig |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
358d598d019422b994aa86b74a025eddf76f526b50d61f4163e79404bbe9ad0e |
6728 |
2595 |
Suspicious PowerShell Download - Powershell Script |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
124bf07ac70743e91b5698e3731aae0330fc182aa58036390f2a0457a90b5341 |
6720 |
1258 |
WScript or CScript Dropper - File |
Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
858185cf49c680890b5a26787055bc3518a78b5c5f6fc2df09e5516b191cef8c |
6656 |
194 |
HH.EXE Execution |
E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community |
Sigma Integrated Rule Set (GitHub) |
b0b20b09dd98169c1af4e8643b69d1bbe0cb12c553056b15d64e45d7726ff1b4 |
6651 |
6150 |
Powershell Token Obfuscation - Powershell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
0328ed59c29ebeee509b67ed087523a3cbfc646542f343aa12f9b1bbd64324fe |
6623 |
3100 |
Milum malware detection (WildPressure APT) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
30fcf3924a898a9d1747e89068ab2990c77ca3914a94aa78466d28a9d9da32bb |
6454 |
230 |
Remote Access Tool - NetSupport Execution From Unusual Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0c574c15cc6c9a17edd7b81b15044dd26631d2a7f6c2d428c6d68d9816e6b84d |
6452 |
410 |
PowerShell Get-Clipboard Cmdlet Via CLI |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
405f59430cd2ef58f1b3387a7fc5708e7dd6da1082e96fe6cb359c46daa4e056 |
6430 |
143 |
Path To Screensaver Binary Modified |
Bartlomiej Czyz @bczyz1, oscd.community |
Sigma Integrated Rule Set (GitHub) |
71c11c0cc84fa6ba12489ce6fb7a0c5729c809f47cf296aa025e7f514394f01b |
6340 |
259 |
Start of NT Virtual DOS Machine |
frack113 |
Sigma Integrated Rule Set (GitHub) |
705bee7ec50dc3b36f21deb0d2cb6e19b1a84d8142bae256797827d59ddcd242 |
6233 |
277 |
Suspicious Schtasks Schedule Types |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
83e48c48a7932749737a7bd38f5caa95e168e9a37a1d0730ffa0349f567f2895 |
6150 |
165 |
PowerShell Core DLL Loaded By Non PowerShell Process |
Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
309cda68f6a1f23a3de3d6604cd71d89098ca2472c6cfaae572a5d4375389247 |
6115 |
645 |
Suspicious comandline paramethers(shellcode in the command line) |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
c6bf20aec5b9dd748265363c7d01846ca0a5fc666f1114770a8bb7f5e764e4e2 |
6053 |
5301 |
Regsvr32 Execution From Potential Suspicious Location |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
49c4c4517c1ca707a5dfadad1b8db8afe6380c4546c944335aee3a1fadcc5542 |
5961 |
1571 |
Potential PowerShell Obfuscation Using Alias Cmdlets |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c085cde9af85b182e783b8d7b42d66d3d0efe08696b4fe7946da3d5d1a2cd51e |
5939 |
3209 |
Potential Defense Evasion Via Rename Of Highly Relevant Binaries |
Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
6a0e84509806d4477d42410fb267c817a01015e3dcc33e48330f8db0ba9709da |
5794 |
233 |
Uncommon Userinit Child Process |
Tom Ueltschi (@c_APT_ure), Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
91fdd3ec700c41d38dcb9127772f866ad831ade83c48c4131aee4842d77be561 |
5693 |
7 |
PowerShell Deleted Mounted Share |
oscd.community, @redcanary, Zach Stanford @svch0st |
Sigma Integrated Rule Set (GitHub) |
7d4fc33c33fc31d17a2c9ee04cb6e1114c58cbeec3fa2b7cd4f5502b2d28d6ba |
5668 |
3180 |
Suspicious Userinit Child Process |
Florian Roth (Nextron Systems), Samir Bousseaden (idea) |
Sigma Integrated Rule Set (GitHub) |
1170a97b19098b92c7fea421765b81d0cea10e0140d9fed3c4d0769718c4b248 |
5580 |
6 |
LOLBAS conhost.exe (via cmdline) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
b29d2dfc7edb1018f0384c6a0606a6f59a25bb2e9e1ff8a0fa4bad79d7d4121e |
5504 |
114 |
Suspicious Ping/Del Command Combination |
Ilya Krestinichev |
Sigma Integrated Rule Set (GitHub) |
2e58fcf707ea25a6c7465ae2a0d4b35ff302cceb7b8fde4ac5d3467d832e005e |
5440 |
358 |
Valak Behavior (Sysmon and Cmdline) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
95388dc52565d97f01bb478463530fac5eb3a7197bbf17fccbd415b4a10a7055 |
5432 |
248 |
Blackbyte Ransomware Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
afd6cd2469ae4639e99a5087deaf57ed3032b6c807da7fb2ff4ccb5eb58c3582 |
5394 |
294 |
CredUI.DLL Loaded By Uncommon Process |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
d95ca36c302040f620589faab34078391fb9db19ee77118e3ad298784775d65b |
5353 |
2074 |
Potential Persistence Via App Paths Default Property |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cef4d3e30776e7c2f6f9875e0ccd23b74182701da04f922481d50f37c50281d2 |
5320 |
1818 |
Remote Access Tool - Anydesk Execution From Suspicious Folder |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e8f71f8fe8e705cebda4bbb0636db89fdd3c7b9c2faebe19bac1e6d0d6db37c5 |
5314 |
1803 |
Chmod Suspicious Directory |
Christopher Peacock @SecurePeacock, SCYTHE @scythe_io |
Sigma Integrated Rule Set (GitHub) |
859cf7876f0c68da27f3e292a5e428393e9a8004af0c330fae9787dac43b7bfe |
5308 |
3912 |
Suspicious Calculator Usage |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
379786e3d43f4df15525494f022a5e59f58acf961a0f2536f20ae374717a9fa0 |
5299 |
54 |
Shell32 DLL Execution in Suspicious Directory |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fbd6086058f7f1742827e4bf39c6a7b3d7cc32120c2f2cd39a924363da2fe8f6 |
5295 |
2 |
Too Long PowerShell Commandlines |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
4b2c1a09ad8532fd7bf380feea00e848eb5daf3d246d1f4dac0ef853f29bc01c |
5277 |
199 |
Suspicious PowerShell Invocation From Script Engines |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c089503ba0204ebcc3605f01ef3ba76dfff60846f2bad81faf9eae455e81921b |
5242 |
254 |
Remote Access Tool - GoToAssist Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
df5ad6e42247717e66029569fa91f85ff8a54a54497ee42527054193ce21bc6b |
5111 |
3751 |
Remote Access Tool - LogMeIn Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2d50b92426dd9dacf9cb8f8155e01c1358138fea49e2459c140ebd54d3e45990 |
5111 |
3751 |
Suspicious Mount-DiskImage |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8aa937de88282ab672836441edf50f760451a9112887ad0867753ab1b9fc5a4f |
5096 |
2969 |
Scripting/CommandLine Process Spawned Regsvr32 |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3c839a03f4fc9d7988e0debb79087dea4e4584fa05c3ee8cd7aad8c037b505cf |
4967 |
1648 |
LOLBAS rundll32 with unexpected forward slash paths (via cmdline) |
SOC Prime Team, @SBousseaden |
SOC Prime Threat Detection Marketplace |
4df0b9d85eb21989ce009f134a8fae2edde67a305237b09a9daae0c40abae0ac |
4958 |
2192 |
NanoCore |
Joe Security |
Joe Security Rule Set (GitHub) |
270a1fb968dc6493ee107a0a5e9afce805af2cd2d8675f58a02c418e36821076 |
4922 |
0 |
System Network Connections Discovery Via Net.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
90412c9cf799f0ce454d95cf6bdbef8b1264fbcde3cd6b065ae6aee265882a86 |
4874 |
864 |
Forfiles Command Execution |
Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
Sigma Integrated Rule Set (GitHub) |
1b7c75c23f2baad2051b96c094a3e6fd1d3f27a92c0518c2cfd7257229c57a72 |
4855 |
178 |
CMSTP UAC Bypass via COM Object Access |
Nik Seetharaman, Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a30845acd045e920f165087e59ac6d9461f6c4bfadfa52e4c518e3bcb9d8cb0c |
4835 |
47 |
Potential Goopdate.DLL Sideloading |
X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5e22ec775af6cbc5059b6f7e9228ad35176019128d402f817de8f1d74a4608ba |
4828 |
2131 |
Suspicious Invoke-WebRequest Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
56fe16e9bd72e77ff37f1ceaab3ee67231b676c732b7ff10556298e7a60590e7 |
4799 |
933 |
Prefetch File Deleted |
Cedric MAURUGEON |
Sigma Integrated Rule Set (GitHub) |
c865945cbecb1d16e71f70bbaf2926d63799a2a7a109ded595203301bc777f0d |
4783 |
65 |
Remcos |
Joe Security |
Joe Security Rule Set (GitHub) |
b50b6d86173debc4d608b981e7d6b5136092c515286d20c0eafcce3b7c411dde |
4780 |
19 |
AspNetCompiler Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c72e2995683af253e803fa2fe4fb02eab21f864cf7e63657b4c1f5a21e5cd421 |
4779 |
9 |
Base64 Encoded PowerShell Command Detected |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e75e9983c2277304aa1294c0b077a3139a8405cd1661ccf513a6c05a002acacf |
4774 |
93 |
Rundll32 UNC Path Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e3e74fa33e688408b75baa0f3988d754504296233bf1904baa587d8b17e3c4f8 |
4749 |
2188 |
Drops fake system file at system root drive |
Joe Security |
Joe Security Rule Set (GitHub) |
4754f502f65f5684ed3a2e0c3b8615d89d16535a2ad1fe25ac93f82423267ae1 |
4674 |
2 |
Suspicious JavaScript Execution Via Mshta.EXE |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
Sigma Integrated Rule Set (GitHub) |
f6f3741fe71241687646386731e58cbb9eb5dd4b8db836bb8840c3d02e5462b8 |
4583 |
32 |
Potential Commandline Obfuscation Using Unicode Characters |
frack113, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1afbb49fc8fb15fab2d75349956e426d182cdd6d06760b6d83594535a112fb1f |
4523 |
402 |
Potential Persistence Via Microsoft Office Startup Folder |
Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b52847695c6477e59d07e791f5afc7389180b1087054b513284bdbadfe15f22c |
4461 |
68 |
MacOS Scripting Interpreter AppleScript |
Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6ecd0ccd55a70b96ebb8ad35b9fc18b56f99fdae0b1c2d235ba3300b9457b516 |
4457 |
823 |
Uncommon File Created In Office Startup Folder |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f441bf0f20310d2f8fb4c38b047725cf9bafb59c2a7634f73d2d38745157b248 |
4447 |
82 |
DNS Server Discovery Via LDAP Query |
frack113 |
Sigma Integrated Rule Set (GitHub) |
16b459cba08f0827ee9607be238b1582dfd3717c30b129b5f215736d5a3c3e1b |
4407 |
827 |
Files Added To An Archive Using Rar.EXE |
Timur Zinniatullin, E.M. Anhaus, oscd.community |
Sigma Integrated Rule Set (GitHub) |
e5fedf5f2a45c0555943282d3dd05186495acc374df19f7735f92d6d648dd1bb |
4297 |
2 |
Zip A Folder With PowerShell For Staging In Temp - PowerShell Script |
Nasreddine Bencherchali (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
4f19758bce122aae71a356110cf88e95df101e099a2b95e2472e44201244475d |
4272 |
39 |
Delete shadow copy via WMIC |
Joe Security |
Joe Security Rule Set (GitHub) |
be6d29855558a0e8c404486d8f1838ce35594866f126f9c1c62a9792e9c76be2 |
4239 |
8 |
Application Removed Via Wmic.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
51aa013b39842efa6b0daa94240755c0d8b9d7b71b5cf5cc482247a3c7b8bc57 |
4207 |
621 |
UAC Bypass via ICMLuaUtil |
Florian Roth (Nextron Systems), Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
2219766fcc5e77936dbd9b7310a20b2ba3f5b4aac858c6ac312c81fcc2838d4a |
4194 |
46 |
Rar Usage with Password and Compression Level |
@ROxPinTeddy |
Sigma Integrated Rule Set (GitHub) |
02930d34935e0616b2711790272271498e2a5a03bcf66372f0985d2e89cee1af |
4184 |
1 |
Suspicious PowerShell WindowStyle Option |
frack113, Tim Shelton (fp AWS) |
Sigma Integrated Rule Set (GitHub) |
5e2ea8c055dd73ea66238735323d0318c2a6c114047137146357b85f764b1101 |
4155 |
739 |
Suspicious Mshta.EXE Execution Patterns |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
31e1f4457871d51593456a4331811513af82fe4e36d2b26a582dd6baa180a91d |
4132 |
521 |
Suspicious LNK Double Extension File Created |
Nasreddine Bencherchali (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
a22ff20d7afa397abe4e6127e6da647b437781be86602fc20a88c1403f1200bc |
4131 |
982 |
Parent in Public Folder Suspicious Process |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
84c8381801022afb55be7429db7a75474adba79984c4b957f33c62e931b0f282 |
4126 |
44 |
Cmd.EXE Missing Space Characters Execution Anomaly |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4bb625c721776edc38f264e032f4677eecbdd60e011a95fa267baee02fc262c4 |
4070 |
138 |
Renamed NetSupport RAT Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fede1c0268e88b6a7ec369e9c62c124a24ab5c7f9adc969af706be5000e0e8c1 |
4048 |
393 |
Execute DLL with spoofed extension |
Joe Security |
Joe Security Rule Set (GitHub) |
90c63349e180656f865f6206a06dbee57bd3226b32eb61fba3e6c7c4452d4e1d |
4026 |
1435 |
Service Registry Key Deleted Via Reg.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
024bac7758bc9b41b74cd867afe686054dabf2eddd7128488f92797af3459361 |
4021 |
345 |
Suspicious Non-Browser Network Communication With Telegram API |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
620d128e8f298b86625bd4b6ab76260ff98ffad8b0d6548b49c657f4d01e86f7 |
4003 |
43 |
Potentially Suspicious Execution From Tmp Folder |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
b8017658b8eef8b1293176d76212e600b660d0a36a4f5dc80141324fae360bbf |
3964 |
2498 |
Gzip Archive Decode Via PowerShell |
Hieu Tran |
Sigma Integrated Rule Set (GitHub) |
0df382f7e3b997a4d0a5cf1e3096ed303ea8bef29d4a223899b1bd70c251bc33 |
3950 |
713 |
Bypass UAC Using DelegateExecute |
frack113 |
Sigma Integrated Rule Set (GitHub) |
da3ec62084336efcb20f4f4e3a94268ca6c1665699d00b48e490be7fc41d2287 |
3921 |
44 |
Curl Usage on Linux |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e576f496b0ac03c619b88124a419d2c717d3f5e3f5506a17e145443091bda155 |
3919 |
1489 |
Terminate Linux Process Via Kill |
Tuan Le (NCSGroup) |
Sigma Integrated Rule Set (GitHub) |
51b34db929db2298b58d76a0d73976f3d729eca95d9b480b9513bd0cea6a1d6d |
3889 |
1777 |
NjRat Detection Rule |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
44649563045e4b39ea5ec24c20ca7aa44cde80384aa9b3de04a8bb30862d934e |
3823 |
0 |
Remote Access Tool - AnyDesk Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
0c4da16b3166fbd90cadb96254a8be0f74828fc4eb967256ac0483d9d0a10a96 |
3794 |
1283 |
Potential Mpclient.DLL Sideloading Via Defender Binaries |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
3a9cafc6a4cdfee1d351b5145ef1b7d6a64e707b04945a9fa54298173b7eaa64 |
3781 |
255 |
Uncommon PowerShell Hosts |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
87ff9045efc87047afd66230a3eaf7e4306b89e3d232cfa7c9307b4481ef76c0 |
3722 |
424 |
Renamed AutoIt Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1a5f94b3f0a2443e387f9e068328d36b28cf001899d3d0ccdc05243849ccd380 |
3715 |
136 |
Suspicious Command Patterns In Scheduled Task Creation |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c6cac3013982f7f078cbf7fdc49b83f80fe4377b7ba4434f2533c34c98a85608 |
3715 |
388 |
SC.EXE Query Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
373890127a34a7d314b3d10d451aaacb806579ec3e9ed2515dbdd0a4d4bf7860 |
3681 |
1170 |
Whoami Utility Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4f50c176af3c65d3b67381b2eb36baf45f7c58aa2934ba1b9d94703fb60d977c |
3675 |
1944 |
Potential Wazuh Security Platform DLL Sideloading |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
747c341b87a90e6e095cbfc8c895fbb8cf733b203dd8db9f7875d676842d4e8f |
3672 |
594 |
SafeBoot Registry Key Deleted Via Reg.EXE |
Nasreddine Bencherchali (Nextron Systems), Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
4202d03bb66c7e22943582a6959ff86dea30b0493ca74ce160940b0daf7b2797 |
3613 |
30 |
Potential Persistence Via Custom Protocol Handler |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fcefc4dad7b57e9c907b45137814caa77a11a27696712eecc68d4c6fbdb24786 |
3599 |
1843 |
Windows Screen Capture with CopyFromScreen |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f8a626af728b3adf32c5a523da76b149e1f41d45e55c4f3b2cb7895c3920b449 |
3597 |
494 |
PowerShell Script Run in AppData |
Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4975d97d556849fe2e336bf1c8a5012b84eefe1d4059c527aaa8ec3f903022b2 |
3587 |
981 |
Process Initiated Network Connection To Ngrok Domain |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0aaab6e75614dc39c58e45ef5b3a7f0a1e455ace3bb9041e837370214a92ef58 |
3564 |
13 |
Unsigned Module Loaded by ClickOnce Application |
@SerkinValery |
Sigma Integrated Rule Set (GitHub) |
096069eef3be20474fe171accead2e8d072767682ea5ca1388ac7af2510839cc |
3546 |
305 |
New Root or CA or AuthRoot Certificate to Store |
frack113 |
Sigma Integrated Rule Set (GitHub) |
924e45f65b58d749e29df4b23b32058847bb1b15673ee93b0f9a0fc94359b19b |
3503 |
2066 |
Local System Accounts Discovery - MacOs |
Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
e73eb94c02ee03d3d629b3d54b02d2cf6c9b1dab8a7831ba27d8da0c88755c94 |
3477 |
3169 |
File Dropped By EQNEDT32EXE |
Joe Security |
Joe Security Rule Set (GitHub) |
4740c645e33c5fbe1595ad953f030f0aa29f78fcbd141282536d02587eb05d0f |
3406 |
1 |
Potential Dosfuscation Activity |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3ced86caf89e0cb118bce2037de20fae8f9a70e400916dcdd9c2ee1eec7c58c4 |
3341 |
243 |
PowerShell Download Pattern |
Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
24c9049c81b149aa4537cce166e36f3697878dcdad3fab8b662889d154056d7c |
3319 |
248 |
Firewall Disabled via Netsh.EXE |
Fatih Sirin |
Sigma Integrated Rule Set (GitHub) |
5a783ec4b26d8a6276f21c1226c5896266e2591f44f079ca9950892310b00429 |
3306 |
390 |
Windows Share Mount Via Net.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9816ac44605bf8e1595ecff4424e6d78357aaa8449a03737687a18866b736909 |
3283 |
618 |
Creation Of a Suspicious ADS File Outside a Browser Download |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c73db505c48b84558f4676b0613f79f5cc2c70db3a96086c3a010c535c245530 |
3260 |
246 |
Creation of an WerFault.exe in Unusual Folder |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4469b0111d1f4747a00542caf4ceadd719bff3e7e6e21793e9446d294be895bb |
3249 |
159 |
Local System Accounts Discovery - Linux |
Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
db147f594af74bbd5641cf034cfa4ce699110ac6712abb1062141aefe2d13704 |
3248 |
2797 |
Bypass UAC via Fodhelper.exe |
E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community |
Sigma Integrated Rule Set (GitHub) |
4793e3844bd4ee212795ee4a6bf167b869d51840732845bf0d2aa41f7481e6d7 |
3186 |
16 |
Suspicious Process Execution From Fake Recycle.Bin Folder |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ef5803d60821ec99134c6c0fa0bd37ea1e0948d9f28c15324a15eee9929e4f34 |
3163 |
2 |
Suspicious Non PowerShell WSMAN COM Provider |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
b42a14d4eb96ec45f6bc9ca190be91d043f6ead5ff998b704aabb76605041d4b |
3136 |
275 |
Potential Homoglyph Attack Using Lookalike Characters |
Micah Babinski, @micahbabinski |
Sigma Integrated Rule Set (GitHub) |
a2dffac0fcddbca9dddd5b57f9a9841ae8948007b05988ff3ba4b101da5fcc45 |
3113 |
223 |
Potential WWlib.DLL Sideloading |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
acfdd695b50334901b76498dea74721b8b3767958af4dfdb031aebc613d6ff72 |
3113 |
1957 |
Wscript Shell Run In CommandLine |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
83ab725e0e176c0c59e352231c53ea9aca280a122aaa1c79b3ac8cd955147dab |
3097 |
102 |
Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet |
Nasreddine Bencherchali (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
f9da722f2b9be68744c84591d71fc78f53410669a0b7da802cb3abdb56d3fd72 |
3080 |
1 |
Suspicious Driver Install by pnputil.exe |
Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
8fd9d688a4929d85f6ba829ccf0fe235ff5f6bcc6ac25306e6425671b81eaa80 |
3065 |
2539 |
New Lolbin Process by Office Applications |
Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update) |
Sigma Integrated Rule Set (GitHub) |
8a45e61fc1757825afcd5eca531a7940c6b8fd8ed95faee7b3ea517339e0ee17 |
3057 |
12 |
Installation of TeamViewer Desktop |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2495a5176f32a1fe533956bb584ac28d8b3080d4d27a4a91f60fcf3c24bbfabe |
3028 |
2705 |
Potential Persistence Via Logon Scripts - CommandLine |
Tom Ueltschi (@c_APT_ure) |
Sigma Integrated Rule Set (GitHub) |
931dce221464a1df97b4bd50fa971fea5b71093af0032d4e392a2f74e9bab9c1 |
3026 |
7 |
Windows Defender Definition Files Removed |
frack113 |
Sigma Integrated Rule Set (GitHub) |
bde07bc9414d410eaf67f99408a24b51b4b8d186451e641a9a90076cfac22613 |
2965 |
8 |
Potential Execution of Sysinternals Tools |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
c718a898b26d6c8f64602f1b33c49df17864599a9ba4a879a1ac22848dbda174 |
2877 |
493 |
Vulnerable Driver Load By Name |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8f6a6cfb95501925772edc51e1db78dd76eea0e212ed3a9923b1a0de9d552371 |
2849 |
655 |
Removal of Potential COM Hijacking Registry Keys |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
85b8f7bd2db84db2632bf9e5b9b9402e829785f546868fe1a62c7a6002a6eb60 |
2818 |
670 |
Potential Crypto Mining Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6bbafdf03b2a79de4fa71f3fec777333b907de6172939c7a35b5bed23d4a4b82 |
2787 |
7 |
Powershell Decrypt And Execute Base64 Data |
Joe Security |
Joe Security Rule Set (GitHub) |
d77da6b7c1a6f6530b4eb82ca84407ff02947b235ab29c94eade944c4f51e499 |
2785 |
4 |
Conhost Spawned By Uncommon Parent Process |
Tim Rauch, Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
6f60707627a0617e86bd3005d8ce73a34fa6e674c0169d593509953d67bfaa2e |
2777 |
424 |
Potentially Suspicious GoogleUpdate Child Process |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
09412b30e562e2ce76bfde7b363c711eb8d82f225e5c33b969989c68181d63c4 |
2765 |
796 |
DNS Query for Anonfiles.com Domain - Sysmon |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
21c4870bc492f9b979f795cb98b5fd283fad4043432a9c3cd239097f04e945ee |
2763 |
26 |
Firewall Configuration Discovery Via Netsh.EXE |
frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' |
Sigma Integrated Rule Set (GitHub) |
25c7926ea5dfde7ab41cd4aeebfb89e01d4dcb8b7243522af4f643f690d857c7 |
2678 |
296 |
Powershell Download and Execute IEX |
Joe Security |
Joe Security Rule Set (GitHub) |
317ff64a1d49452191210f7b55d7201e483352440ec851a9c716f6be7cfb7ec9 |
2659 |
111 |
Sticky Key Like Backdoor Usage - Registry |
Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
dd211e6e9cebdae07f1d14d61650061c791829402d134a1a9e064ae72b6c4cd9 |
2630 |
25 |
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell |
Markus Neis @Karneades |
Sigma Integrated Rule Set (GitHub) |
1ca8739651295d88708cb5ddfb7a115ae0d202152a80ee4c7871e62f3509c938 |
2590 |
8 |
System Information Discovery Using System_Profiler |
Stephen Lincoln `@slincoln_aiq` (AttackIQ) |
Sigma Integrated Rule Set (GitHub) |
52daf4142ede041cf96ed7f183802efd774d9000b614dad0ea8cce461bedeb6f |
2536 |
780 |
Suspicious File Creation In Uncommon AppData Folder |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8c035500d22804f658be72a55a2b5d591891e0a77e57447d0f0c6f62f89e9ade |
2521 |
53 |
Share And Session Enumeration Using Net.EXE |
Endgame, JHasenbusch (ported for oscd.community) |
Sigma Integrated Rule Set (GitHub) |
7cb4a3985bd24a137550fa4c49b1da3fb949c3cf182a90950438e97aaad46378 |
2511 |
487 |
Renamed Powershell Under Powershell Channel |
Harish Segar, frack113 |
Sigma Integrated Rule Set (GitHub) |
a470fbf97e0f7a4d42fd59ad6332c7521f57d919e725bc61c84ea7ee2e451426 |
2483 |
381 |
Potential Suspicious Registry File Imported Via Reg.EXE |
frack113, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
7c610f9de41fe35b34a2cbbdb30ffc39573016dafe890f4164dae07613c21fd7 |
2472 |
758 |
Droppers Exploiting CVE-2017-11882 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ea2bef709a3e478516f914938492950992d22f0077ede5a561e60f2c092f4dec |
2467 |
579 |
Potential PowerShell Command Line Obfuscation |
Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) |
Sigma Integrated Rule Set (GitHub) |
e6fdb32f143bba16a3ea06247ced55b7b90f8b5b5c6c26ddb95cdcf23908af8a |
2465 |
150 |
Boot Configuration Tampering Via Bcdedit.EXE |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
Sigma Integrated Rule Set (GitHub) |
2da0b3cba5dc2b56e1426049598590c54a224e6d15740b9b07c108e089c84520 |
2462 |
43 |
Suspicious Extexport Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
942c07d4243aed525402c1e4e2f9880b477ba72abc7023c30c9c10737399e077 |
2456 |
89 |
Suspicious Remote Thread Target |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
35516fc873ed87d5b0b7a43b8533ffc2f5caa47a50e9166c663b25628f65fed4 |
2413 |
40 |
Possible new Cobalt Strike dropper |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
3cb32dc8f1ba61964f235761eac5b49d22264f521e003ce641a508eaff8d0eec |
2406 |
571 |
DotNET Assembly DLL Loaded Via Office Application |
Antonlovesdnb |
Sigma Integrated Rule Set (GitHub) |
df9179ffc950a7d9549e0d76b5a95a94d3b366fcfde63b70a6b7a7215d0d97b5 |
2402 |
2239 |
CLR DLL Loaded Via Office Applications |
Antonlovesdnb |
Sigma Integrated Rule Set (GitHub) |
6362c65a14d81807ed78ab9e2fa99fbb546c067d39b3b63846c820e5c401e2e3 |
2382 |
2238 |
Ie4uinit Lolbin Use From Invalid Path |
frack113 |
Sigma Integrated Rule Set (GitHub) |
186b21df711a2c225bc97a789a6794326e96247d7982569c6a23484bb7fd61fa |
2328 |
696 |
Dllhost.EXE Execution Anomaly |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
55e193a1988b8c8a7a5a6a43dd2962320dedbc26a63c88ad59d1df2fa6897da6 |
2326 |
7 |
Suspicious Execution of Hostname |
frack113 |
Sigma Integrated Rule Set (GitHub) |
87d10b87f13ab6dd0ee17c311d476bcf6fce51f746e639542c1c6c08b6ae8071 |
2323 |
659 |
Use of UltraVNC Remote Access Software |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b6d588df62f37e97081e8f05b809fb56a925b1514f359dca67c7b51fe46c6812 |
2323 |
396 |
Service Reconnaissance Via Wmic.EXE |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d9ee3f478c792e1c6683bb60949d7041271eaeee5e5927b518a6f65e7da2607e |
2294 |
281 |
Pykspa Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
daabc950b44baa5580ce5e56de6f2f363ce1854a5273ffd3ac321453e35a83b0 |
2292 |
41 |
Suspicious Program Names |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3dd877e77def39df894b8703b956bdc819796feea2cf44bef9f73339d5a37b5c |
2280 |
120 |
PowerShell Script Dropped Via PowerShell.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7cf0b126730658e7c96da1ae0b63c1bb84154a239ca32c09909963038dfdcacf |
2273 |
563 |
Registry Hide Function from User |
frack113 |
Sigma Integrated Rule Set (GitHub) |
82ee39002b5715b57e2aa8b1d93068fa1c6e7147795a59563c5812d827f7f3de |
2262 |
12 |
Cscript/Wscript Uncommon Script Extension Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1168f1f8b0347e370d4f049726cef5752fdd4db77ea2e8f33d611739f3257b7c |
2243 |
131 |
Suspicious Execution of Shutdown |
frack113 |
Sigma Integrated Rule Set (GitHub) |
157ee4e95270f64481c50464c0e4766830e1e2b38b214a98f9e3f977857c6c69 |
2212 |
349 |
Always Install Elevated Windows Installer |
Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community |
Sigma Integrated Rule Set (GitHub) |
b7188ffaa64031d83c409b5110885c29570d52a6ba3bacaee0392371cf071016 |
2197 |
1073 |
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE |
Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
624e5e799c1829ffc2199cdf5c7bc356cfb6da8137626ea544cdeaa8ee1d5c75 |
2195 |
65 |
Sakula RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
68a19d3c88378331526d97065cc73f033a6ff79b1ebd046f7d815d967bd2dd69 |
2182 |
0 |
Legitimate Application Dropped Archive |
frack113, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
0b57c6b31ce9eea5f85c018839666b92eb3444ccbb55a5d93f7b89a74cb7daf6 |
2181 |
1951 |
Register Wscript In Run Key |
Joe Security |
Joe Security Rule Set (GitHub) |
530f42d2839f1cd12564a3743f6b294d960920a76da960e2c17e5337c43df9c4 |
2166 |
15 |
Registry Modification Via Regini.EXE |
Eli Salem, Sander Wiebing, oscd.community |
Sigma Integrated Rule Set (GitHub) |
876619ed554fa68bef3ccfc88d359efb8c1f05d0781e13279ff3c4ff29f4989d |
2166 |
262 |
Legitimate Application Dropped Script |
frack113, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2d15bc5d08223728e30ed4330ad99024b1467ac8ddb073e7ed368b0468898e80 |
2163 |
302 |
Suspicious PowerShell Download and Execute Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bdb4652f83b1c4482478b0c14bcb08d332fcd600a7303ab1c709c543499be726 |
2125 |
82 |
Trickbot Malware Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1c7a83aaaaf300f7e44e597465797c7e812cc0c684756d1be37d0ac7acf0dc5c |
2124 |
0 |
Proxy Execution Via Explorer.exe |
Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative |
Sigma Integrated Rule Set (GitHub) |
b32b8c78e20435f731c3241fbfb6354a0b9f86ec81cc5ee202e0f0cf13bf110c |
2083 |
220 |
Wab Execution From Non Default Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ee4aa57ce6316f4a46bc9e62a1748e7d5d687ad6315114f4d4eff654910c961c |
2068 |
231 |
Whoami.EXE Execution Anomaly |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
05b85f64fdf521b059aab9daf9d75829fa4a5febd27fe09ac0224e405b57a654 |
2014 |
187 |
DriverQuery.EXE Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a67413f6ee51de2df640e8a66bd1d745d4e44207f484cbd3b33ac3b3fcbb0688 |
2010 |
280 |
Potential Configuration And Service Reconnaissance Via Reg.EXE |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
218d6661cbefbe4342fb5e6f0aa14df5602a3a39691bb19b246644804e6d341f |
2006 |
315 |
Browser Started with Remote Debugging |
pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4eba2a7f729f2c02ec972ed01919c8bf5d2b8493f9d6a934f14cf0d3a55d14db |
1978 |
271 |
Group Modification Logging |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
48fbab3f0d31a3776ce8099e24b7c20af280fc9952c2d83fb8e54e4808a7d506 |
1975 |
185 |
New Process Created Via Taskmgr.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bd4c20ecc3fa26779f917ddf7cd594af5a64805084e11c2a680ade82d77b01ed |
1967 |
2 |
Suspicious Scan Loop Network |
frack113 |
Sigma Integrated Rule Set (GitHub) |
14d137deb681ad845cc2e1992b2e9cb3490ddb1372d62da747f4042d7e6b87b0 |
1966 |
186 |
Potential Windows Defender Tampering Via Wmic.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3ba90b1c0830dec1dbbd2f42eb503552860963d25a6bbe081b92875c243be50d |
1960 |
15 |
Malicious PowerShell Keywords |
Sean Metcalf (source), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5bd56545b7e384edee75e378b7ee025e05f6bcb012607cb6425ccedd54fdb070 |
1958 |
196 |
Set autostart key via New-ItemProperty Cmdlet |
Joe Security |
Joe Security Rule Set (GitHub) |
20d65fc22a4ca2deedfc3a40bcfd0522766c18fa1ebd190b9d8fd068ee94ec0b |
1953 |
8 |
Usage of Renamed Sysinternals Tools - RegistrySet |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
96f6bdacbe2704258d0efb6732980de5d8c8fb4c21f34072ec9e4e2267271ec0 |
1945 |
171 |
Set Suspicious Files as System Files Using Attrib.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
afdcecbde34527044e8c4c24e502ed3dfae6daa2d07665ad18226afff77ed6fe |
1929 |
54 |
Suspicious Recursive Takeown |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f3043e9cf491489279145a8ffefa67bbe2fc398be8117092c11cdfdc2f9768e7 |
1928 |
1161 |
Uncommon One Time Only Scheduled Task At 00:00 |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
85cd399008ef4733657024eb14bcee01c9eda5cb5a070f2f186550293ebe4d29 |
1912 |
51 |
RunDLL32 Spawning Explorer |
elhoim, CD_ROM_ |
Sigma Integrated Rule Set (GitHub) |
ac298c53d8d1f5e60dfe82fb023ca044b4a7477be65c3b5eab997e0e9cf64528 |
1907 |
187 |
Powershell Execute Batch Script |
frack113 |
Sigma Integrated Rule Set (GitHub) |
ece68c3b6fda1fe5c7d8707c5dd9099cf564ed0e7e7b480e97278c475f10e5a7 |
1880 |
849 |
New Root Certificate Installed Via Certutil.EXE |
oscd.community, @redcanary, Zach Stanford @svch0st |
Sigma Integrated Rule Set (GitHub) |
7e27ad096cfe35b247261a88a0082eb1feb9c110817bfc4774f404f8f2958328 |
1879 |
361 |
Vulnerable Driver Load By Name |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
01bc5b8a84214e476feda4fcc9c76cd6f44b3306dc67b15f214bc791497235f0 |
1860 |
658 |
Potential PowerShell Obfuscation Via Reversed Commands |
Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
474582c275339926ac17574ab90c8246d89014d6b66a4312e8e3edb7277ffba0 |
1851 |
98 |
Finger.exe Suspicious Invocation |
Florian Roth (Nextron Systems), omkar72, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7014c2ce26877573641173ba99dcd8d8af4f637986c42be19651a8a37c5ead6f |
1819 |
34 |
Powershell download and load assembly |
Joe Security |
Joe Security Rule Set (GitHub) |
32fcfd50f2fcf0aa58bebfbfb09b7e32b7349a17a5c1aaea5b18783f458c4e9d |
1818 |
8 |
Suspicious PowerShell Parent Process |
Teymur Kheirkhabarov, Harish Segar |
Sigma Integrated Rule Set (GitHub) |
a4d012f0f7c21ebed94f8e82f4910702fcbcd9d21bf70e4b1b039f48970d1bbc |
1800 |
151 |
Suspicious Group And Account Reconnaissance Activity Using Net.EXE |
Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6782835a8af9329207a47fe5076c3dff20a8803bafbda97ddc938ae379eaf8df |
1798 |
147 |
Disable Important Scheduled Task |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
09601976d693769f1fe442a0618410420380d7de7aeec4e52c0ebe6e3ebebe56 |
1791 |
96 |
Regsvr32 Execution From Highly Suspicious Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6c6985a0a641b52c4f0f82f7c86c62603a68482d3a2dd76787a91435f6022c75 |
1780 |
618 |
Python Inline Command Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4eb25eff0b4d84652480301d5845b79be20cecc54ff18737ad9fde16370bcb4a |
1767 |
996 |
PowerShell Script With File Upload Capabilities |
frack113 |
Sigma Integrated Rule Set (GitHub) |
80e1441e8251586c742da610b4bceb4d94fbe79f4e8b64b9745b6a11da90d7c1 |
1764 |
543 |
PowerShell DownloadFile |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f0282b9dc90a1761ed8cfb90b52bc5f53c2c8ccbff1ca29790e8d17c7eae56dd |
1762 |
140 |
CMSTP Execution Registry Event |
Nik Seetharaman |
Sigma Integrated Rule Set (GitHub) |
ffeb4d256edb1234faf30da37a584025d92817eb5a21c5394c4c6d78e3922d95 |
1749 |
34 |
Activate Suppression of Windows Security Center Notifications |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3729c929acbee7cae1291d3e460c3e673684211679e8a94cbd1297192aafdd06 |
1745 |
4 |
Suspicious Msiexec Quiet Install From Remote Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
62641a1f33f67c78cb5f920f86788ab9e084dd90a20f1bbe56bd0de87f85b129 |
1731 |
281 |
System Information Discovery Via Wmic.EXE |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
323231f5fffc92ef7ff7f631c4c88594149ee8841ff32c3c742054b37f17e6ae |
1720 |
174 |
Rundll32 InstallScreenSaver Execution |
Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec |
Sigma Integrated Rule Set (GitHub) |
e6082733e3e0087a0d92bb4d25eb43218d2a86b3681b4d5ee37ab8c2e6ecde4d |
1716 |
496 |
PUA - WebBrowserPassView Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
33f5c9533af9250ea025177bce3fdac08e97300ebdcb88f194c75a49a985bcfb |
1710 |
3 |
Renamed AutoHotkey.EXE Execution |
Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
faa3bfbb393e061fd71e00b73b6f984037d3a2b68f4e57eb09b3de8ccd76fd1e |
1704 |
20 |
Dfsvc.EXE Network Connection To Uncommon Ports |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1d7a62dc09883785488daa6144af5d9bfda250d5660d8c6978c160b54a716b30 |
1698 |
201 |
Quasar |
Joe Security |
Joe Security Rule Set (GitHub) |
295f36b4fe50737f7d27a3862ea45297f78efdf77ab2decd501b4a852765ceaf |
1697 |
5 |
Copying Sensitive Files with Credential Data |
Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
8712e0baf2cbfba40ac1ad1854da93829b0f78d6eba117de03912aa985d46a79 |
1688 |
3 |
DNS Query Tor .Onion Address - Sysmon |
frack113 |
Sigma Integrated Rule Set (GitHub) |
674f76f777472c9d2fd1dbb116a9a1a6bf35dac71c41ca14a21ac0493d7f471c |
1662 |
144 |
Ilasm Lolbin Use Compile C-Sharp |
frack113 |
Sigma Integrated Rule Set (GitHub) |
611acd0c150597ac4f2758e96797e2e85ce476be43fdec2817e9cd8bcd44de66 |
1662 |
127 |
Silenttrinity Stager Msbuild Activity |
Kiran kumar s, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6a6afb8a168ede702164bc1169f8f046647310ca518ed5dd776966148a0e9532 |
1661 |
9 |
Bladabindi backdoor |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
f47281ceea7e998eb629b82b6be68c1aaa23f6b18111420b7a52cd72b575f527 |
1658 |
0 |
Insecure Transfer Via Curl.EXE |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
77ecce5ea77940e3b7b82f2766d696c4bf16f75a458c3ddfe650f26d4475fa74 |
1651 |
257 |
WinSock2 Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
688632515df3a00cecdf2ee4e9316bea52edf73c9cb0889c10d336de857c293c |
1637 |
239 |
IE Change Domain Zone |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1fd27acf648f3f73802533ae95c6e367de8eb32fe05e9d3b52913ec54401a5ca |
1609 |
467 |
Potentially Suspicious Cabinet File Expansion |
Bhabesh Raj, X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2c33916c73b8057eb865f965b0e9e05fddeae85fa5405eee775a7df4cd58173d |
1597 |
144 |
Suspicious XOR Encoded PowerShell Command Line - PowerShell |
Teymur Kheirkhabarov, Harish Segar (rule) |
Sigma Integrated Rule Set (GitHub) |
3df27b5ffb8110f82c5da9120fd9c1c88c792ef65770b7f2706fc60a04b9cc9c |
1575 |
145 |
Add DisallowRun Execution to Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
aaeb77150a9427eedfb3c4c85538e120e703cd22905d020b93856bb7ebdb03a7 |
1565 |
11 |
Firewall Rule Update Via Netsh.EXE |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8984d13764576549e824707eeafa56e2bc51d0ba2e3cccdb362a5dc69926c991 |
1542 |
225 |
Invoke-Obfuscation STDIN+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
fddefdc90062c691bc46bba8afb5fc6b455c1d7141337a963441437d5355a6c4 |
1534 |
28 |
Curl Download And Execute Combination |
Sreeman, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
78dc71a5599dc85b3d37a6ab0f014aa5110b2ce1b2346c8f2730e0c481977781 |
1514 |
26 |
User Added to Local Administrators Group |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fd4f9d3b927e38cad7f6a36f5f41cae6a1450b551d9506408259953d8d4ee23d |
1508 |
199 |
Wab/Wabmig Unusual Parent Or Child Processes |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1c3bd5d3931125cc632573be718453c2b36b0f1392032fda05ad4d1982d1c0cc |
1498 |
20 |
New Kernel Driver Via SC.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b1f54a781e9cc27de125f11b56abc94639629aaf0f1fdf9072886fde50266b7e |
1492 |
483 |
Dumping of Sensitive Hives Via Reg.EXE |
Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113 |
Sigma Integrated Rule Set (GitHub) |
4caa5ae7b301d0b7382caf525ab9dead072ea9efadc1f7cc59d8a59c20b0fe57 |
1487 |
548 |
Remotely Hosted HTA File Executed Via Mshta.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
25fb50db6056bc3db5e2f3d8d53b6ef8b6fad41ac3ecaf0386e316bd1711baf0 |
1480 |
49 |
Suspicious PowerShell Download |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0c6e3c35fbd166dc96fbf3faf4f052230a9cc9db642ee3bee40f5c94d5938d03 |
1465 |
45 |
Copy file to startup via Powershell |
Joe Security |
Joe Security Rule Set (GitHub) |
f81996947f17d7a0b11829404a9a1b42e1041d6d013b0021dda3bbbb35dfa106 |
1459 |
2 |
COM Hijacking via TreatAs |
frack113 |
Sigma Integrated Rule Set (GitHub) |
849823df2c9dd0af3b0d2474c1008165e48a5accc0c613e62140502a1eb678d8 |
1452 |
726 |
PowerShell Base64 Encoded Invoke Keyword |
pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t |
Sigma Integrated Rule Set (GitHub) |
b064d328910e5b6554d91ba5ed74ef613fac96a491b96d7456084c26c3cd376d |
1451 |
93 |
Powershell download and execute file |
Joe Security |
Joe Security Rule Set (GitHub) |
1fd2d09eff791a970cc2ad6da0820134ef9d52d4341ab32028edd04e8dd158bd |
1449 |
33 |
ilasm.exe execution |
Den iuzvyk |
SOC Prime Threat Detection Marketplace |
382ffab0f18db16a9fabc5be94893af76646b4a1c35d436ba2ae16961943008e |
1449 |
57 |
Powerup Write Hijack DLL |
Subhash Popuri (@pbssubhash) |
Sigma Integrated Rule Set (GitHub) |
c50b384b3d0f5d468c48abf6ac8fd6095727405ed00d170aeadf0fc1b4add34b |
1448 |
254 |
PowerShell Base64 Encoded FromBase64String Cmdlet |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b079b9bebaa7ac01f379d6d83aa123ec20bc9068b9a097e09aec5f87b42d91d1 |
1447 |
58 |
Suspicious PFX File Creation |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
ec56e35983955cbc753846d06d67ba2cf88a10a498711ceb84afe1322ca958a1 |
1447 |
797 |
Suspicious MSHTA Child Process |
Michael Haag |
Sigma Integrated Rule Set (GitHub) |
b9bc90b7745bcb3a2cf9de40d1d419d18ead6650040015c7f4755848e9bfdb05 |
1441 |
179 |
System Information Discovery Using sw_vers |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
2ccb76001b1d9e10e5bfde545cebc203b585a87dfae5be9eaefcbd6d2e0a1c54 |
1439 |
1071 |
Suspicious GrpConv Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
aa2a49ac8cb28455a3f30cf373b4ee1ade0b735bc1db5a574956be8f95fcf6d7 |
1429 |
466 |
Invoke-Obfuscation Via Stdin |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
92f548de44082f5573a9a1cde5e0716b71988288605c254b85f32d8f3405ef83 |
1411 |
53 |
Suspicious Rundll32 Setupapi.dll Activity |
Konstantin Grishchenko, oscd.community |
Sigma Integrated Rule Set (GitHub) |
f85bfb745e5bbdd54cf800d8d7e40f16b02685138c13830986a050536d69aa0d |
1389 |
332 |
Powershell adding suspicious path to exclusion list |
Joe Security |
Joe Security Rule Set (GitHub) |
d933fed60e38128e7e3586361ae42b885a5285e04ab14da997282550a77a9059 |
1352 |
132 |
Enumeration for 3rd Party Creds From CLI |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9459f67b1253cc08abbddb96a073b963a102b013d6fb679d6a0273540ad7b19f |
1345 |
343 |
Suspicious Scheduled Task Creation Involving Temp Folder |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c81c0126a6006ad9dbec7215030642dac0a918f133b33aa4c077f9676d84cd58 |
1340 |
2 |
Wscript Execution from Non C Drive |
Aaron Herman |
Sigma Integrated Rule Set (GitHub) |
2f480881c25523a22197ce2abfca8d05a61f804534f8a053fbf65303a9375332 |
1339 |
73 |
Relevant Anti-Virus Signature Keywords In Application Log |
Florian Roth (Nextron Systems), Arnim Rupp |
Sigma Integrated Rule Set (GitHub) |
39e7fb552f1143dc6ba79ca293aaea514c20448ec6241a53cf150f29298b942d |
1336 |
326 |
Suspicious Creation TXT File in User Desktop |
frack113 |
Sigma Integrated Rule Set (GitHub) |
965125e7c09a79de6429b9218659a7c8785c989273642091a7ebae3bfbe920c1 |
1322 |
734 |
DUNIHI Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
7c58e06f9c4bfbbca18106234f802a2f21fcd03ca11bcc0d10c040d1e451d4b1 |
1317 |
8 |
CMSTP Execution |
Nik Seetharaman |
SOC Prime Threat Detection Marketplace |
58d4fbfb0b53744348e77deba3d12df957601d7b27fda30abc676523e9634cda |
1303 |
21 |
Stop EventLog |
Joe Security |
Joe Security Rule Set (GitHub) |
35db6f1fe683cbacad6aa4943d1220e844a15d069404bd602fa782a2ff05ea1c |
1284 |
1 |
Unauthorized System Time Modification |
@neu5ron |
Sigma Integrated Rule Set (GitHub) |
fd18f89d9ade39f1b15ef9cc31ce8423991e3c873567ec9edc2cb1a45ac79f69 |
1273 |
268 |
DotNet CLR DLL Loaded By Scripting Applications |
omkar72, oscd.community |
Sigma Integrated Rule Set (GitHub) |
5c2eb7356281203a2556ea40a71892ba7a369c46d5f2fc4574a427ac968c097c |
1269 |
688 |
Invoke-Obfuscation VAR+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
dbba719e722ed35e6290aec93e2c9879ef0eb3966254ad9f15c73b24f11ccf9e |
1269 |
15 |
PUA - NirCmd Execution |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b206243f31b4de9b9721047301fe3728fcfc85f7c7db682bd477e0d7c41093b1 |
1258 |
78 |
Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE |
@neu5ron |
Sigma Integrated Rule Set (GitHub) |
388ce51cb79d4deced7fce86e5dcf1e2eec1c04720fb2fc7e451d12abbd53416 |
1248 |
593 |
Suspicious Electron Application Child Processes |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2b1f50cff6a2e8639ee801986adca76402def027ff7616841139cbf2ab32e2f0 |
1238 |
84 |
File Download Via Curl.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2ba177894c99b540ea867640a2706237f274cc5b176aeae69bbe985e11bb1b06 |
1232 |
522 |
Weak or Abused Passwords In CLI |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
505504b564af2ed8ba77826b758a9eb5bda1701b18ffd11a5266b48d417692fe |
1232 |
512 |
Renamed AdFind Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
12b8d345b794db3ab93ddfad353edbac7bb89f27e11dfb968d1e97cbe1061cdb |
1193 |
900 |
PUA - AdFind Suspicious Execution |
Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community |
Sigma Integrated Rule Set (GitHub) |
1e88d14fe153e2c630eb9bdd7e321d7dc3d82670a31f1b36fc90cb6cbc362136 |
1191 |
900 |
Session Manager Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
9acd91066b664aa3f4181a28555facbc432bae9a4c8502aa92ceae1de1f31753 |
1186 |
311 |
Office Macros Warning Disabled |
Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c343cc005c090768ceeda7de8ee3ac77e284a81d14c5a803a4fe3a2cab1e3f83 |
1179 |
9 |
Operator Bloopers Cobalt Strike Commands |
_pete_0, TheDFIRReport |
Sigma Integrated Rule Set (GitHub) |
fc1c644d943e763e67a7951dbec3c33d1e4710aed85f336a114eac8b43c735f5 |
1177 |
18 |
Delete All Scheduled Tasks |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
828f57327c792b3d7689543c6e7d2a87b71f15589b3c45366d0486473f86b2c1 |
1164 |
6 |
Malicious PowerShell Commandlets - ProcessCreation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6109e5a50653d03dbabfcf3bdf71fa77c6e2430050d589990fe4869424a68d5f |
1164 |
266 |
DLL Search Order Hijackig Via Additional Space in Path |
frack113, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
eec4fdc586db73cdad5bc34b172ecb132a75f4607c84cdeef26a811db01918fd |
1151 |
18 |
Process Proxy Execution Via Squirrel.EXE |
Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a7aba66fc56c50a87fc053cf4dbd37af1845fac642e98272db5c4d804dc66de5 |
1151 |
793 |
Recon Command Output Piped To Findstr.EXE |
Nasreddine Bencherchali (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
cfe5725f3bf0ca4bdbb0fa295dc9f4f317fdaeb5a37cf2252678c2c1c2e4a915 |
1142 |
486 |
Powershell download payload from hardcoded c2 list |
Joe Security |
Joe Security Rule Set (GitHub) |
5c6454bb6fd16d176798dcb8685eabffc5295c27b7c2c471512f66343a885a24 |
1141 |
6 |
Persistence Via Cron Files |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC |
Sigma Integrated Rule Set (GitHub) |
f74e8628441aa3b7bcbf82dd77cc025925e34078d02d169dd947db62675dbeaa |
1134 |
68 |
CMSTP Execution Process Creation |
Nik Seetharaman |
Sigma Integrated Rule Set (GitHub) |
4ef4d3aed2ed44386659d6aefb7649de9568189358f367fb8708d1870d19fdc7 |
1131 |
32 |
File Download Via Bitsadmin To A Suspicious Target Folder |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a88a5cca5a8f8c7db551190230651c821a8acb62ba7f1da53866381af9c5263d |
1125 |
290 |
Space After Filename - macOS |
remotephone |
Sigma Integrated Rule Set (GitHub) |
2b3ab43da00d1cb60c0d3f837ce61f81355c37b68a1c3e826e66d68962c57752 |
1125 |
130 |
EKANS/SNAKE Ransomware (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
164ef4a9c3213fa19bce8c0def1c7e491e774e8b12b55aaf55c5cc2732b4386f |
1119 |
474 |
Suspicious Volume Shadow Copy VSS_PS.dll Load |
Markus Neis, @markus_neis |
Sigma Integrated Rule Set (GitHub) |
90a2634e64f0a02343bf17b797e3d249061fdee81d36e5dac2d8e3fe2a2df280 |
1096 |
79 |
Steal Google chrome login data |
Joe Security |
Joe Security Rule Set (GitHub) |
acba408186cae97e9de5ad46ba35ffdf61f94f181c5287bfd9e76aa1e5293b1b |
1091 |
1 |
Fsutil Suspicious Invocation |
Ecco, E.M. Anhaus, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4b8a086b898ff9eb51b0489b98e2619d0c9fe2cd94e29325ec8a4c2250220b8e |
1081 |
29 |
Decode Base64 Encoded Text -MacOs |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6101f5b902371808a5b407d66c189f259bec69ab6b4cf5b58a655af663843c71 |
1061 |
47 |
Potential Emotet Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ada08103432e4112d167b1d10f0fc02281936c8fcb181de17d5bca07755bac84 |
1059 |
2 |
System Information Discovery Using Ioreg |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
8276e9cd0b9b7c3f0b1005650ba6ee31d135feb4851ec2c1fef43e0ad32f66cf |
1057 |
507 |
Extracting Information with PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4e243e6a618f306cfd754df3b30132c4fa518c4ad26b6d755244064cd3110b0f |
1055 |
617 |
Potential Browser Data Stealing |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7f302700c67727730ec082001e9f6840f366aca520673a11d09dd130bfc31429 |
1048 |
48 |
HackTool - UACMe Akagi Execution |
Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3c4f6f1af78c01c8d7d6fcdd27c3167044933fcdf73f667e973ce1068765ea16 |
1047 |
20 |
Potential Suspicious Change To Sensitive/Critical Files |
@d4ns4n_ (Wuerth-Phoenix) |
Sigma Integrated Rule Set (GitHub) |
eb81e21bcba6fa7eb54dbacb299fbd6d9409d1f0a91735cb19dae4620da3620a |
1044 |
999 |
Windows Internet Hosted WebDav Share Mount Via Net.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
958619e5eaecca1767a6c71701ed1838a9cbb62ccabbe7c6a9d8679a3fc0e0f8 |
1044 |
271 |
Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate |
Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
149998404377f72bc44b77b90b9339b9992c7ffdfa4ac2f8b9197b502ce28357 |
1036 |
542 |
Suspicious WmiPrvSE Child Process |
Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
eb1dbd652c505f66652af5683ecfecaacb1483523b07254e9d1eaee151af6ec9 |
1036 |
0 |
Suspicious Query of MachineGUID |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5b823c33b4d7a619c0190d52bf60fd92f6768d9bff34fb85446b00ca141f030a |
1034 |
484 |
Windows Defender Real-time Protection Disabled |
Ján Trenčanský, frack113 |
Sigma Integrated Rule Set (GitHub) |
a1c6c38c5e7bce405aa9ef27dce9dc9d160e553efc2e947b0b78b5f78219aae0 |
1032 |
1 |
Rundll32 Execution Without Parameters |
Bartlomiej Czyz, Relativity |
Sigma Integrated Rule Set (GitHub) |
de72fd0fbb1418b8eddde8492f15f221fc84e0ca0d3ca576ccd0ff897fb98037 |
1031 |
25 |
Tycoon Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
4a1bfdd64820625ce8a3a3a1703ba1575511aa7971c4320893b9fa4b51c65a4a |
1029 |
22 |
Malicious payloads that are hidden in fake Windows error logs |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a0266c26a19ccfed14f484c3055ab6ca00bdb3123ee47a1a36410d63d33650ad |
1027 |
271 |
Potential Startup Shortcut Persistence Via PowerShell.EXE |
Christopher Peacock '@securepeacock', SCYTHE |
Sigma Integrated Rule Set (GitHub) |
537a092527e25f9e54a3ddb6667c0303fbda5891d2f933ec0fc62bd4a5572cb4 |
1021 |
84 |
Malicious PowerShell Commandlets - ScriptBlock |
Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer |
Sigma Integrated Rule Set (GitHub) |
bbb841b3f1cb3bdb122737ca0755cb93d982ecca4651de2822af469b59071f87 |
1008 |
156 |
File Decoded From Base64/Hex Via Certutil.EXE |
Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
2d3c931bf891955b7bf9d7745ece5f7bf306ac6c9a9ab72ee992a6d199bc2aae |
1007 |
52 |
PUA - Process Hacker Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9a58c7a82520f7b9dc792cd56e2fce86b3157b6cef6fb23101ba29111c5e4733 |
1002 |
13 |
MZRevenge Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
aa09c929bbf92e934dc584324a80a81643f2c336dba38293142077f86bdde84b |
1001 |
518 |
MSHTA Suspicious Execution 01 |
Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) |
Sigma Integrated Rule Set (GitHub) |
7a63d1c1bf6ebb277b02d4893066d3732e3d7df562cfdbfee275bbc5c4de0951 |
993 |
238 |
Detected Windows Software Discovery - PowerShell |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
2f2546b453b2e10b60c4d6b1345bc05c2dc99e42daef2e236a11005d772937ad |
990 |
146 |
Potential Encoded PowerShell Patterns In CommandLine |
Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
157d3e7415430b97001871f8aecb592075581e05187450141e56c252318f2b26 |
983 |
105 |
Powershell Token Obfuscation - Process Creation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
6dd3abd7ee97d24f91e01e6fe236e6d2b8b12c2943ed9bb875e5613bf3deb8d6 |
978 |
46 |
Remote Access Tool - ScreenConnect Installation Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
29112c1d912aafdd95b322ff1127f1fde6560b1d2e3dc1484d11d9d222af7435 |
975 |
37 |
Potential Antivirus Software DLL Sideloading |
Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) |
Sigma Integrated Rule Set (GitHub) |
a9d24e4f31c09e5d49bfde0dc5512383f008eb0a959b9e000ec57e5f29264313 |
960 |
358 |
Suspicious File Download From File Sharing Domain Via Curl.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
09fa8f2c3e86f0fa6cc0876e94d77a20c07409a7154a61ef64a9a9a31a6d0049 |
952 |
223 |
UNC2452 Process Creation Patterns |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f282a8660328d20195770b77f51561e6885408fc2136a6916d0380839cf39301 |
946 |
28 |
HackTool - Mimikatz Execution |
Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
338397ed109954fb8f766d6849691b20570aadf79c77ac5509047b25b9af2859 |
939 |
15 |
New User Created Via Net.EXE |
Endgame, JHasenbusch (adapted to Sigma for oscd.community) |
Sigma Integrated Rule Set (GitHub) |
d83c79bbca4183561b4591dd3ce69faed2e6cfed3217f2658b85c237af7aceea |
930 |
153 |
Suspicious History File Operations |
Mikhail Larin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a90720274637391656758b0a5ab9ec371918d4a1e9d3ac56fd4d0f8719a7da72 |
922 |
495 |
Abused Debug Privilege by Arbitrary Parent Processes |
Semanur Guneysu @semanurtg, oscd.community |
Sigma Integrated Rule Set (GitHub) |
9d455dd5e2e653e4afbec915a896019f9ca31a26fba6e2ba47b2a380780ed090 |
905 |
13 |
Schedule REGSVR windows binary |
Joe Security |
Joe Security Rule Set (GitHub) |
c26e0207e75a84b37249afa14659448c57c0203d2220e8049b52775ab00538dc |
885 |
0 |
Amsi.DLL Loaded Via LOLBIN Process |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6f788218e57d2939e69140473d30d868ecfc490ccb3caee4be496d022d6bc807 |
883 |
263 |
Fodhelper UAC Bypass |
Joe Security |
Joe Security Rule Set (GitHub) |
c5017f04443b7c88d4fe320734d24f38108f67663239bc00f5c164081e9b5e0a |
880 |
27 |
Mimikatz Use |
Florian Roth (Nextron Systems), David ANDRE (additional keywords) |
Sigma Integrated Rule Set (GitHub) |
62e99f238afed27b43182594e90243db3ec17324c819a349f12ed55c015e5a71 |
880 |
1 |
Persistence Via New SIP Provider |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ffce9ca9bd1660b065199ba140fc11dab25117a4d350b14bcc2553cece9c997b |
880 |
596 |
Outbound Network Connection To Public IP Via Winlogon |
Christopher Peacock @securepeacock, SCYTHE @scythe_io |
Sigma Integrated Rule Set (GitHub) |
030a43138df8f268a688b4d336377f9ae24dca9828eec55a36d20824b6201ae9 |
876 |
0 |
Suspicious DumpMinitool Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5756a38333b7f693b74fb2c16621de4da8e6e821acbb692ada0984c90768ca6b |
869 |
38 |
Potential Data Stealing Via Chromium Headless Debugging |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
894bc44621968b8ec9fc62b70f7ecf4d2f1e5bf6ff6c9e1c450929a2f2d8cc09 |
865 |
60 |
Suspicious Manipulation Of Default Accounts Via Net.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4932dce91cb1fcd2986acdfc28c116d5bd4899b8052649b068effd4022c81f8a |
860 |
140 |
Process Explorer Driver Creation By Non-Sysinternals Binary |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
99c7a3c2ca557dc3ff22980e34539383c6be02b29d75aed44570e5292dfb47cc |
854 |
55 |
Frat Trojan (Loader detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e5340d719fcf66efd2a0ce9db73895f3154a53e10e72e001760230ca6aa22057 |
849 |
0 |
File Download Via Bitsadmin To An Uncommon Target Folder |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
26ba1712f407ff4fbcd023c45091ebd8daf92a2befec4d5f1969002f7eeead49 |
846 |
82 |
Tasks Folder Evasion |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
ab8ea26663a3935bd7f1783455f465a74c106836d5a68c19a61dec68dd2596c0 |
827 |
0 |
Disable Windows Firewall by Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2e9f34a4006a3d9169bfe02d2b846c4db28b03c5394e9216e6dac294db0644f8 |
822 |
4 |
Process Monitor Driver Creation By Non-Sysinternals Binary |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b37461353268b5d8d8a4a0d3ec132773396606b1cc30106f1524817122d6ed5c |
822 |
51 |
Renamed CreateDump Utility Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ed9dd3a8bde9d3f74318eae5a66dc75d50f12cb32fd6854fb7289d91507b60c9 |
817 |
619 |
HackTool - CrackMapExec PowerShell Obfuscation |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
c5f36e07dfb01984d08d19db1fe7f194936f079b371ab900d58eff493b972744 |
804 |
76 |
System Network Connections Discovery - Linux |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
bcce343b1b60fe2c9b0a19e6c49cd613e3cd470f7a5a4dc85811f8188fbdc872 |
802 |
572 |
Invoke-Obfuscation COMPRESS OBFUSCATION |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
2cf6294605b971d082366887fa44157d3f99e7552181ee7314a2ba598a2e5d66 |
797 |
1 |
Security Service Disabled Via Reg.EXE |
Florian Roth (Nextron Systems), John Lambert (idea), elhoim |
Sigma Integrated Rule Set (GitHub) |
0c3e5c376a4a569ab4a4f3217dd009bb34e695e5fa82da85111db47f2b801bc9 |
793 |
33 |
Potential Recon Activity Via Nltest.EXE |
Craig Young, oscd.community, Georg Lauenstein |
Sigma Integrated Rule Set (GitHub) |
1419b2c28c143f7062ef95f941065d5327c65890cab58ade41efd168132d8b3b |
791 |
41 |
Renamed Rundll32.exe Execution |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
9c82223957e793a96ef035ed0c34e45da5cda4718210320cc09615a65b0fb5d1 |
790 |
3 |
Whoami.EXE Execution With Output Option |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
accf31ff0e1e1b6219d9c964b9ca9832458e71ee32cac96d64cb26de422128f2 |
783 |
126 |
Office product drops executable at suspicious location |
Joe Security |
Joe Security Rule Set (GitHub) |
e0e4a0d55b1462c34c5c59221f7b9ae4b1625aa019f157ee2d60b21d286df9b5 |
769 |
6 |
Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
bf0f7d2a84916abcc597e4a38a6231519b38af0223147ef15e28c7ab83f47c7d |
766 |
205 |
HH.EXE Network Connections |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4630d11b74b3a0ee68be5cd7788cbf0adc046f1248a513c2971cf8dd4a03835b |
762 |
481 |
Suspicious Invoke-WebRequest Execution With DirectIP |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fda985869abff56461050c96a2f19a215ac6e3636ad0bb952561118e7989a6f5 |
761 |
99 |
Service Security Descriptor Tampering Via Sc.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
79b65bcfec60a228ced8c00aa4b8ff786ce017482ff46446e002fd9ea7bdbd00 |
755 |
507 |
Execute Invoke-command on Remote Host |
frack113 |
Sigma Integrated Rule Set (GitHub) |
61dae8b0a35fc9369e410406f226b559d6c9cb12837347724e7c4f9281869910 |
751 |
260 |
CMSTP Execution |
Nik Seetharaman |
SOC Prime Threat Detection Marketplace |
7d8b8c88008f45dc07b07590cdf039437686d441d35e7204ba91a632ebc9439c |
747 |
31 |
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b2414a4d8972516423f6b63d79b5aaffd883551d5c9ee63294d6395da8f6a88b |
743 |
497 |
Shell Process Spawned by Java.EXE |
Andreas Hunkeler (@Karneades), Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
0eced37f0ea111b4f9b0de81cecda56610adc30fad4061274a488187f71b395d |
743 |
127 |
Suspicious FromBase64String Usage On Gzip Archive - Ps Script |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4c7e768ac31ad9f19aa32c2c10eb81eb9b6ae9d00129f474125bbfa6e8cf42ae |
743 |
21 |
Bypass UAC Using Event Viewer |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a0f94cedc18c397f576619978b15265938adc1cba9d431467d50db98d8a79972 |
742 |
4 |
Potential Mpclient.DLL Sideloading |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
3600236ebf60c82a22ab80d3e53ec7e062aecdf809b0db101631364cbae11df6 |
739 |
0 |
DNS Query Request By Regsvr32.EXE |
Dmitriy Lifanov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
047ea96432123c5b2a32816291dc196702b51bd9d49adb2c1673b59dd0018a0c |
731 |
164 |
Suspicious Reg Add Open Command |
frack113 |
Sigma Integrated Rule Set (GitHub) |
81f2a11aeadd681c5a2bbef5acdebbc356da424e56854a985e3c7eb0aded2fba |
726 |
29 |
Suspicious Parent Double Extension File Execution |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
00b61d3ad8d5b276f712ce687ea306dc5b640516a51e65fd05ec277c5b979611 |
712 |
15 |
Copy itself to suspicious location via type command |
Joe Security |
Joe Security Rule Set (GitHub) |
ca9a79f8e23430115778a41aa4671433713b393278e1a60331cbb991a0f30f82 |
711 |
82 |
Spora Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
4dce473be53cdc44d945acff82c6e5ef53b3304748f9aebc8d4f586230520785 |
708 |
172 |
Domain Trust Discovery Via Dsquery |
E.M. Anhaus, Tony Lambert, oscd.community, omkar72 |
Sigma Integrated Rule Set (GitHub) |
e5bf067d8fc5f77622680e942156a44de63eda6026750ac80c29d0304dca435e |
701 |
0 |
UAC Bypass via Event Viewer |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c7f53a29488cdfc8b3ab7ecb4699f5c655615954b2d1ff9209e2dba026e30dbc |
697 |
0 |
Cscript/Wscript Potentially Suspicious Child Process |
Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86') |
Sigma Integrated Rule Set (GitHub) |
1a5f4db4505797dbb968725fb6bf6b357968abf23fbcc6b92acd08a6214e3e4e |
694 |
69 |
Pyvil RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e1ca1eef7de3f782d09979e606d626e690c8a52046acf75e7a5de3203cd0a570 |
692 |
225 |
Publisher Attachment File Dropped In Suspicious Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a8d0cd7feb7b63732f7a4b623d0c83302978e8b31eb15abbd34e71731c438c1c |
689 |
423 |
Bypass UAC via CMSTP |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
Sigma Integrated Rule Set (GitHub) |
ae5debad574fb4590d5efc9d2e3614bb603a5670f3f9f926a42d2ecbf0de0291 |
687 |
34 |
Suspicious FromBase64String Usage On Gzip Archive - Process Creation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7ba93fc93efb5d8901f3061f6c7f586575a9b70f53e7c4e4241975131258aac9 |
686 |
0 |
A Rule Has Been Deleted From The Windows Firewall Exception List |
frack113 |
Sigma Integrated Rule Set (GitHub) |
67a0e8c868b0d9e328cacb80b1deb06682096f1919a50ecd953a8b4cc9a1d01e |
684 |
591 |
Uncommon New Firewall Rule Added In Windows Firewall Exception List |
frack113 |
Sigma Integrated Rule Set (GitHub) |
67d7bc69b082fefa483232989806870ecde5e6bcb70d0db262c428e845ce0eff |
684 |
591 |
Windows Firewall Settings Have Been Changed |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
693c36f61ac022fd66354b440464f490058c22b984ba1bef05ca246aba210ed1 |
684 |
591 |
File Time Attribute Change |
Igor Fits, Mikhail Larin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
cf228b836870037eda6ce9d429595c3a3c8bb83b64b142fc4dae821bc43b3fd8 |
683 |
438 |
Suspicious Rundll32 Execution With Image Extension |
Hieu Tran |
Sigma Integrated Rule Set (GitHub) |
9103c9abde5b20f2b8e59ee53ea823a7c4e9d171c3f07a383b2ee7c0b3f792f6 |
677 |
224 |
File Download Via Bitsadmin |
Michael Haag, FPT.EagleEye |
Sigma Integrated Rule Set (GitHub) |
aca8c04f52d20c1f8ac7c5fda7686124759166ab9439145354e331faaf792bb9 |
662 |
109 |
Always Install Elevated MSI Spawned Cmd And Powershell |
Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community |
Sigma Integrated Rule Set (GitHub) |
742d7b1dbef016ab3810ec50354e231948fa035c8cacfec6b18f3a8fba03c2dc |
652 |
188 |
Potential Suspicious Activity Using SeCEdit |
Janantha Marasinghe |
Sigma Integrated Rule Set (GitHub) |
49aac70aa91f01a7539b5678a4fd244f32b078c30cec03a7ca460298d59a2a43 |
652 |
234 |
RDP Sensitive Settings Changed to Zero |
Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
e03a36fa82b6ec641fbe51860f9769191f5a8055411effaabb66600f778ef3ee |
646 |
74 |
Potential Command Line Path Traversal Evasion Attempt |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2a64ca949e5ce433b70a21b4be0e71e5ad0cd2465395fd093410ce2d33177cdc |
645 |
171 |
Potential Persistence Via Notepad++ Plugins |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1492d5fa8f02d4d7ce8b5c279841da26a3dae0da5562729690d1875944341bc0 |
642 |
324 |
Remote File Copy |
Ömer Günal |
Sigma Integrated Rule Set (GitHub) |
1cde4fe7d0cd62ea67b1474e3fd6fe9a6931bd8af934f3a5e9b8c134d90bd7b5 |
642 |
372 |
PipeMon malware detection (Winnti Group) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
7f7471486789b0240cf2b95271088889269baee8e3fb42b0cdb6d71d7d37588d |
641 |
456 |
Renamed Plink Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0b74fe58c124fa3f0817cadd3efb94d64ded5662336971846facb96d8b01e56a |
641 |
147 |
Suspicious Characters in CommandLine |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8d9898d05ff5a6ca099b0ec5f7aee9f3581d649c0ac4f2cf24f874e95d19d5ac |
638 |
58 |
Disable Windows Event Logging Via Registry |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7496876fb48565b8278bf669ff38b2846b842f9f663b755f72c105f928ae76c6 |
637 |
45 |
CoViper Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
156996684d126da245b795581497a973d9061da14c527920068752bc9a466ecd |
629 |
161 |
Potential Renamed Rundll32 Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6473e93a221b66c30b661dabfde02604f395c46f8e019efe0b3db46cd7dc03e7 |
623 |
145 |
Add Port Monitor Persistence in Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8dbe594a0f4eb93aed5bfffd0545b03cb0d8c91d229a169700c0d5a7b140795b |
619 |
293 |
Windows Defender Threat Detection Disabled - Registry |
Ján Trenčanský, frack113, AlertIQ |
Sigma Integrated Rule Set (GitHub) |
baa17a6a8681c2a3d925f497f9c81458eab98535fd28d8909861aece2b9cb901 |
618 |
9 |
Automated Collection Command PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
beee5a67cef9cbdfd4d0e1db0dc60dff160df233b0948d9988a2ca819a41727c |
616 |
194 |
Firewall Rule Modified In The Windows Firewall Exception List |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1b4845df7f68549988add5335d4685cb047e4eaabd5768d84a5483935b0d5499 |
603 |
522 |
Change Winevt Channel Access Permission Via Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
cf2984facb3af2703a88c05e420505bdaad5887f51fbf32167a0bf5abfcc28bc |
595 |
11 |
Tap Installer Execution |
Daniil Yugoslavskiy, Ian Davis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
47fed78a8bb63a7dee467bd25acd7bbfb704d602012f1a2228eb56c9f6760b7a |
591 |
239 |
XSL Script Execution Via WMIC.EXE |
Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
e80db9df819552f83bb1bc542be2503390d7a47f3c26ea4db86797b530411d2c |
591 |
15 |
BloodHound Collection Files |
C.J. May |
Sigma Integrated Rule Set (GitHub) |
ea90a9d0a5b0365173a60c78d15843211f9bc89dd93a164a6b464b66d82da85c |
583 |
404 |
Powershell Directory Enumeration |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7ce2e69836f6ffe690530adb579824031c46a1bee75e6f8dc9ec028fe59c5681 |
582 |
270 |
Remote File Download using GfxDownloadWrapper.exe |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
16dd4d7c651cd862752fb483a4e7898c821603b1739b7aecb11298a6e931189e |
582 |
582 |
Powershell Install a DLL in System Directory |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
51fc69e23d6cd3acb20d821dbe95596fb6d8cc314866c51a6a23033b83818ee8 |
577 |
223 |
Modify Group Policy Settings |
frack113 |
Sigma Integrated Rule Set (GitHub) |
dfec584345112d1012631493a8cdef4a2eb03ea5bd33d360363e24776a148a71 |
573 |
71 |
Windows Hotfix Updates Reconnaissance Via Wmic.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
392fcdac1175baa32b5f9e8899fc0dcd24fb0c6c9390adfd646bd983451e2810 |
572 |
147 |
Potentially Suspicious Child Process Of Regsvr32 |
elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7d605643d3d8c564d51574a154eb77dd6009d4c2a39133d7fe93089f5764286b |
564 |
5 |
Service Binary in Temp Folder |
frack113 |
Sigma Integrated Rule Set (GitHub) |
36e24eb60fb7bfe4a61d59d53220df514ceab13a68a4221cf5b7d120d53c4a3e |
564 |
177 |
Verclsid.exe Runs COM Object |
Victor Sergeev, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0cc6e99f887ebd84bef65b69e0c64f654364e79f53cf546f89d1507edd3bbb6b |
559 |
204 |
Change Default File Association To Executable Via Assoc |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7fb55b14b0522200d56a9829ce919bc7a3bb320b473d376575989fde5e57f8d3 |
551 |
0 |
Malicious Nishang PowerShell Commandlets |
Alec Costello |
Sigma Integrated Rule Set (GitHub) |
b80c35f99523537c476487e505edb0c210eea308fa18707fdcd5aa54d136e3ce |
551 |
72 |
Potential Privilege Escalation To LOCAL SYSTEM |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7e17cc0d521f2433baf3ca36bf22ec2946bb387a555fee75aff1c992849a2578 |
544 |
44 |
Potential Ryuk Ransomware Activity |
Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
38e5073851afbf6c39ea309703c229e83988c6d3548896a389e9ef8795917947 |
540 |
15 |
File With Suspicious Extension Downloaded Via Bitsadmin |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6650c06d796cadbfac3560efcd86cb681d552bf6cb9c4d1fa9b6c82b556ae087 |
534 |
71 |
Suspicious Certutil Command Usage |
Florian Roth (Nextron Systems), juju4, keepwatch |
Sigma Integrated Rule Set (GitHub) |
f1e311405e4ccc1c99ed8213bdc24b813560700daa47ca78033edd0d8993ba04 |
534 |
37 |
Potentially Suspicious Event Viewer Child Process |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d37f057d76500ae8527178a9ea367395f2bde798f1cd048621be74f915b28aa7 |
533 |
15 |
Group Membership Reconnaissance Via Whoami.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4a8be8d477a2fbfadd8b27b53ce2a677c2b380814db4dedf6b47a8986fd6a69c |
532 |
125 |
Suspicious Get Local Groups Information - PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5ef6bc365a01e6ef90c1fc4f49006e9a8fe08e82c0a9ce80c10153915771547b |
530 |
304 |
Suspicious Start-Process PassThru |
frack113 |
Sigma Integrated Rule Set (GitHub) |
ce0c4f663ae2b2d04af92c5309f25b12035419b2fc2b6b9c161ab8c7830e3e52 |
526 |
199 |
Access To Windows Credential History File By Uncommon Application |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a97837cc5246d1005cb41d097acb5e089b3031009ed77e1792b93102e79c1f03 |
524 |
4 |
Suspicious RASdial Activity |
juju4 |
Sigma Integrated Rule Set (GitHub) |
c182c186baaff4acc155d390da0732179995f7767ef1710ca041111414a157f6 |
520 |
163 |
Operation Vicious Panda (COVID-19 Campaign) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
cf68f11f087c4b3b504b67cb0a9e4a499e486a6de10aee0811ab515d3336d7f1 |
516 |
25 |
Renamed Mavinject.EXE Execution |
frack113, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
7e9ffe282ed5cf9a47857b911d7d92611b0af4f61bfe1bf89131f57080e0100c |
513 |
77 |
Use of Wfc.exe |
Christopher Peacock @SecurePeacock, SCYTHE @scythe_io |
Sigma Integrated Rule Set (GitHub) |
828fcf5b0d289ec191b7e622d323a6e6def6af24a2d4aa575f7f8543ffd3de0e |
510 |
21 |
Potential Edputil.DLL Sideloading |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ecb809c2a4f83341a0254cf013ec5faf8d4870c4ad1a2ba5564f248d54621a89 |
507 |
135 |
Execution of Powershell Script in Public Folder |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2a39a26b108b99d76b325cabad67ed0b401f56104a863ba5158e0d3b889adc0d |
505 |
37 |
Suspicious PowerShell Invocations - Specific - PowerShell Module |
Florian Roth (Nextron Systems), Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
355b439d3a90c89090f6f266afd2306ad6a03e5ca79228ad1be6e9cb6940491b |
504 |
6 |
Discovery of a System Time |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
Sigma Integrated Rule Set (GitHub) |
18ed38c04ceafb2aa0b9dcb106310ce76cb1473a4109b6a489663f5c250bd2a6 |
502 |
54 |
Uncommon Outbound Kerberos Connection |
Ilyas Ochkov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
9c660d5fee16f15f8c327be10917fac3b7275a58ecb9ed73d49e0ac6c35a7df0 |
502 |
11 |
HackTool Named File Stream Created |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b995506076579a8c1f5b600eca139df5fd016994aab5c3865a4f7f7cd0dc3931 |
501 |
0 |
Curl Web Request With Potential Custom User-Agent |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
88ff5337fc700aeab5dd5118bce29d1ca0b6108a128d1dfdf3638f38fbcea403 |
499 |
67 |
MSBuild connects to smtp port |
Joe Security |
Joe Security Rule Set (GitHub) |
86905c36f5c4e855311f702723eec0c6a4dc9e9992fcec9b2ddcce685b7c2e09 |
499 |
0 |
Change Default File Association Via Assoc |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6143134666e4626abac4d906c673c60d7fdb48a48b44f2817af790432cae836f |
496 |
186 |
Remote Access Tool - RURAT Execution From Unusual Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
afdd67de130ff9c5fd2b18ca53480574ad0613d99edb23555df03caaf3cd774b |
491 |
6 |
SideWinder Ransomware (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
1f154d23ec03058edb48ed3380f862daca50719af728e0660a5dc14a5ab5b867 |
485 |
200 |
File Download From IP URL Via Curl.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
eb80a13f018daf47775fec9d5aaf6173f1ad3ed6a71702583f0bbb2feabc66f4 |
483 |
11 |
Outgoing Logon with New Credentials |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
55191fe8fd6505fe4952b024afcf9016670b4fade05502947a91ca4d3558d59d |
471 |
31 |
Potential Libvlc.DLL Sideloading |
X__Junior |
Sigma Integrated Rule Set (GitHub) |
e154e6fee14ecb972ffc142082d91cd9b413720840d13f7eef05014791a60d1a |
471 |
188 |
HackTool - SecurityXploded Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b097e888f96f943b0d94d7835326dbbc76b3cf117fd9407832fbace74cb60f48 |
470 |
29 |
Equation Editor Network Connection |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0418449ae011d99278f952cf0feb26a91074c66d4f9fd7f162f91ae71262c40e |
460 |
0 |
Tor Client/Browser Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5e1ab62fc9383aad72ce1011e101e15342e386adc35483e383f335b0e5904f84 |
459 |
55 |
Powershell Sensitive File Discovery |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a4c59bdaf575107ce23b3c6e62c772eece15e1f61e51a236e70e3b95c48bf0a8 |
455 |
165 |
Stop Windows Service Via PowerShell Stop-Service |
Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ad906661229e2ccee26f0fa5a23b6e080c651463299081f5b7a9bdeaa0b4f857 |
452 |
193 |
LimeRAT |
Joe Security |
Joe Security Rule Set (GitHub) |
667c9dcf6079fd28997e3e2b10b629c8ddbbd7bdffee1889aef6476277791e13 |
451 |
4 |
Suspicious PROCEXP152.sys File Created In TMP |
xknow (@xknow_infosec), xorxes (@xor_xes) |
Sigma Integrated Rule Set (GitHub) |
b33ac74e3c46a62df1698c5ebafdc2ab3f5907feff6e6ec1f73d273465b4aa5a |
450 |
9 |
Potential Credential Dumping Attempt Using New NetworkProvider - REG |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fad33264376c884f3f011141325fcda3eb98e6b4c916520ed6044fa16c571fe9 |
447 |
319 |
TeamViewer Remote Session |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a8298e7cd8ae07e912b976b51f53ec407301b782a18845c32270523946510c52 |
447 |
311 |
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE |
Greg (rule) |
Sigma Integrated Rule Set (GitHub) |
59b298e2e3b915378e28421e82fd8ba5669ee9eb26f07f878bde7303b4baf016 |
446 |
144 |
Potential ReflectDebugger Content Execution Via WerFault.EXE |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c39f4f5b97b1b17af1e4ec1d780f8384744cdbdcaf071260d5e9d9c523e6bbb3 |
443 |
385 |
Suspicious Splwow64 Without Params |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c4e0758476210a09a3e470db05d2cbec0aebd511e48d351685c75970566f894f |
443 |
36 |
TrustedPath UAC Bypass Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
804e7993351b779b371021d0b762692107233efc595e1171e5f9ebc62b851247 |
440 |
5 |
RegAsm connects to smtp port |
Joe Security |
Joe Security Rule Set (GitHub) |
4ff400ac692a7dca2bab429bae7ab6cb7f2bae4525b1ba9420ef0b5137ebf1d2 |
437 |
1 |
Register DLL with spoofed extension |
Joe Security |
Joe Security Rule Set (GitHub) |
ff70195d476ffa7a3d8e0b1503ffeca1e8707431b00403dfa695732599b571f5 |
431 |
280 |
Disable power options |
Joe Security |
Joe Security Rule Set (GitHub) |
57a5517535a56aab78723dc056130f1e0a6659bbc7addedcacecafa9ed499f0a |
421 |
0 |
Modify Group Policy Settings - ScriptBlockLogging |
frack113 |
Sigma Integrated Rule Set (GitHub) |
312aebbf9dd01274971762d360bf4d4870a7b7138c7cc149d33a9ba8df72b293 |
420 |
302 |
Potential Persistence Via Shim Database Modification |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8c893b41c5a28ef36c6b16d709f057af26436898776837e685d30b93672c2de1 |
418 |
147 |
HackTool - Rubeus Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
74f9a93f96bad4ba440f105a789ab5905ef284191baa105737e7ac861d13bd44 |
415 |
0 |
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities |
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
df4c82057d61dd45f1a9a17a781614a8918ad397600ddeee25a1615fb75459e8 |
412 |
13 |
Remote Access Tool Services Have Been Installed - Security |
Connor Martin, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4fbc5b70b0ec22886cd8282ca750dcf7f30821364598b9309389ea8b9867450f |
411 |
82 |
PUA - Advanced IP Scanner Execution |
Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy |
Sigma Integrated Rule Set (GitHub) |
eba28e9e2b6ff9e170e3534ea8b1e863757d5c976a9a84e4bbf5bd6ffeea5325 |
408 |
88 |
Indirect Command Exectuion via Forfiles |
Tim Rauch (rule), Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
21c4db1b5b4f502860c9d961662f1f7daa62cf3e4c4c9712977dae1ad368a19e |
401 |
2 |
Windows Defender Threat Detection Disabled |
Ján Trenčanský, frack113 |
Sigma Integrated Rule Set (GitHub) |
41872a2c86ff9bf310cf8a81b0235040c25793f1fe6255fdc5bf771cd716ddfc |
400 |
324 |
CMSTP Execution |
Nik Seetharaman |
SOC Prime Threat Detection Marketplace |
7577d4e0fc2ced5cc24f093d5dca8c02dd117651e5112bee21b6526b7fa34075 |
398 |
3 |
Suspicious Sysmon as Execution Parent |
Florian Roth (Nextron Systems), Tim Shelton (fp werfault) |
Sigma Integrated Rule Set (GitHub) |
d76c7bc40bb395a6c2bc04fb2518aafb5044409e7d084eab35a00d6514635261 |
396 |
2 |
User Added to Remote Desktop Users Group |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
04ed3e23df49b07ebec11f2374d1ccce40bc71d867b1f8e29ea40b1b9e878ac3 |
394 |
44 |
PUA - NSudo Execution |
Florian Roth (Nextron Systems), Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
813ebaa5c2ede1835703f1defdfeae762f95ae97f36a5ee2da94b4b2b0877e5a |
393 |
5 |
Suspicious Printer Driver Empty Manufacturer |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
69f693a2bf7b4c283ad2afbd17043a7a25fd7596d7f26f5f77436d56ba9529e8 |
392 |
202 |
PUA - AdvancedRun Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1acf8a5bd4b9da5f502c337d49e41685a8b09ec964d979cda876f038871b43fa |
391 |
21 |
Xwizard DLL Sideloading |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
96b3df20cf0336e4751b0a85d9786ada6ce7185e05988a511f646967e712cc1d |
386 |
8 |
Powershell LocalAccount Manipulation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b3caa02d87fceb141c3eb2e3715d1290976d6fdb56070c03362cd1fb6808f95d |
383 |
169 |
Remote Access Tool - UltraViewer Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e5a4bf7a1c38d3917af9af6ae6ee7c2038a1ad6450721694cc741d2410b05834 |
380 |
171 |
New ODBC Driver Registered |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a5902259c1aea8cf86393e1e31b5bbe43caabcb3df6b2f410176d1b2c8ac6cab |
379 |
281 |
Suspicious Download From File-Sharing Website Via Bitsadmin |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
54145fc7feb54b73cba1cc24c4cd84fd7f99ba4e75cc334003bc39785217bc30 |
379 |
64 |
Gatekeeper Bypass via Xattr |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7f400a75c32e600540f4565bd2cb4099e67aab98f70299b5fe20136c9bc9f13b |
377 |
332 |
Disable Administrative Share Creation at Startup |
frack113 |
Sigma Integrated Rule Set (GitHub) |
529a42d20f26a0247c669d877e7a0260adfafaaf2627c9f33ad4d8b571e8d20a |
372 |
5 |
Renamed Remote Utilities RAT (RURAT) Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a7d9d6781e1b1a5c65f3603e5aa6e2da23879bb16ea543f313a3d39f5d7949a8 |
370 |
12 |
Trust Access Disable For VBApplications |
Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
262bfe67aaa5a8f3edc4f148e59a0ee2c9aab2cdd6e1833ff3cac93540de2c0a |
369 |
11 |
Windows Defender Threat Detected |
Ján Trenčanský |
Sigma Integrated Rule Set (GitHub) |
cf90b923dcb2c8192e6651425886607684aac6680bf25b20c39ae3f8743aebf1 |
369 |
324 |
Powershell Exfiltration Over SMTP |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b09b9f74febb3e25b3de69614b6193a2740c00fe9e7ccf5e62f503de56c5c1bf |
368 |
229 |
Office product drops script at suspicious location |
Joe Security |
Joe Security Rule Set (GitHub) |
67124e7349285a993dc331738db576ef56c6cb9724bf1cea7695561498a0fb35 |
367 |
46 |
Rhadamanthys Stealer Module Launch Via Rundll32.EXE |
TropChaud |
Sigma Integrated Rule Set (GitHub) |
de0e634fa9106c661586ec7674b77259237dd3f5bd92358ce52a278d05072e99 |
364 |
2 |
Clear PowerShell History - PowerShell |
Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
75df0b220ddaf477070a84227ba8e5430f5d4bbcfdfe1ad41ca6da62894c03ed |
362 |
97 |
System Scripts Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
e508e0cd0078f2c99fa9a87448bebda5652165ba069b1c9c4a89ecc4a2b385ca |
357 |
0 |
Potential PlugX Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
660cdd939969505754f58fd81c22dc2f313f6b7a8fcfcc55f0a45d62d879734f |
347 |
11 |
Squirrel Lolbin |
Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
556a1aa7c513ecf9a4f6edfb0176deb074a2cf1447650e01766fe9efee338c35 |
345 |
220 |
UAC Bypass With Fake DLL |
oscd.community, Dmitry Uchakin |
Sigma Integrated Rule Set (GitHub) |
f7b3aa6e9bcd6bb0bf047e633bb513434546a05f9322c433f8df8c2355115339 |
345 |
142 |
Writing Of Malicious Files To The Fonts Folder |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
50cc064f594178311fd316bf296afdcb85c962c45cbc15ab0984ca5de2940d67 |
345 |
3 |
WannaCry Ransomware Activity |
Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
b8a9a3d755cac11238eb37aa06d27255714356075872c2e2e140acfb3e8ab8b0 |
343 |
3 |
Data Copied To Clipboard Via Clip.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d1138c20627ece208ac948647342866415641b06510830449eb2bf7d2f32e4af |
342 |
61 |
Connection Initiated Via Certutil.EXE |
frack113, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
80b6e3dc8d08ed8e3d4ef52e59af689b5f0215b08d92b3fce2310539c37b6b31 |
341 |
55 |
Sapphire Ransomware (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
af5ee1ff302412603f190ad74d459219970f99e1b5a92d952a2e953f522b38c3 |
340 |
0 |
Glupteba malware detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
f75c71f7be8a63670e0c606b582900d5a921916b46408da383beb0786cb5588f |
336 |
1 |
Potential Tampering With RDP Related Registry Keys Via Reg.EXE |
pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport |
Sigma Integrated Rule Set (GitHub) |
e56cee5542b4c0d63057ea40087d4adf80e75c85d61d4c444e7b3f9b64a62cd5 |
333 |
87 |
Suspicious Interactive PowerShell as SYSTEM |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f8335c66f6b8aed850de5246bacec6f1eee18e5549c581e9892827d840e5720a |
333 |
3 |
Active Directory Computers Enumeration With Get-AdComputer |
frack113 |
Sigma Integrated Rule Set (GitHub) |
37b6b961c7d630d66ed7dffc1fa2aae8811008a45bb73eadb3a78bd34a309c6b |
331 |
212 |
Exports Registry Key To a File |
Oddvar Moe, Sander Wiebing, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a5e61828c15a99ec1e32a76e1f2d9bca2eba0d5d62d10197c69a8988b85c445a |
331 |
104 |
Renamed Vmnat.exe Execution |
elhoim |
Sigma Integrated Rule Set (GitHub) |
a94bce44672eb0c1fb09c1cec60477d64a82eb540559b6577c4370d99fbb38ee |
331 |
6 |
Suspicious Execution Location Of Wermgr.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
83b8f87b02d40783b017b20b24c9d622b8aa76ca308e3f4219d233beabd20b07 |
331 |
19 |
Suspicious Binary Writes Via AnyDesk |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e63c082925104de00901f48dacf129e0a824bbe55c24ed90ba31d4e82c44f216 |
329 |
6 |
Atbroker Registry Change |
Mateusz Wydra, oscd.community |
Sigma Integrated Rule Set (GitHub) |
15ae81a84c9a92e5ffb3bc1c4cecc28883ece49fc1ceef55d745ac094ece0622 |
328 |
195 |
Suspicious Connection to Remote Account |
frack113 |
Sigma Integrated Rule Set (GitHub) |
71f9611fe50b2788a25e6b1c3fb3d035c5e04dfe73447ed185bfde157084fc72 |
327 |
160 |
Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded |
Perez Diego (@darkquassar), oscd.community, Ecco |
Sigma Integrated Rule Set (GitHub) |
3be9b8df84e3f6ada915083f86f0f6325f5e3243c3d383f8bf5413b9388ae350 |
326 |
117 |
HackTool - winPEAS Execution |
Georg Lauenstein (sure[secure]) |
Sigma Integrated Rule Set (GitHub) |
bdf9a7887267777773c9949f494e9799efef1be392343e309b16334f10b7bd66 |
322 |
14 |
PUA - AdvancedRun Suspicious Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
75719e469ef20b32e309a7f6531a0e2548349e059e4c4d943740490e0dd8f526 |
320 |
0 |
Hypervisor Enforced Code Integrity Disabled |
Nasreddine Bencherchali (Nextron Systems), Anish Bogati |
Sigma Integrated Rule Set (GitHub) |
d7747cd9601aab6c6a1df6e7b6a31da269e383405a5100fb533784f3e7a52085 |
316 |
18 |
Microsoft Binary Suspicious Communication Endpoint |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d01338d0a87197c0e5132ec7b920332c01f5c9e8218c727591d81888d10a9754 |
312 |
0 |
PowerShell Script Change Permission Via Set-Acl - PsScript |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
30f46284fa7f3fb0c36a6eea80464adf534469d7973d103ba867d6a004a5ce53 |
312 |
144 |
Potential Attachment Manager Settings Associations Tamper |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
beea9838b890b61ccab05d6321880b112538b784e3caf82454293c4c087caadb |
310 |
2 |
A Member Was Removed From a Security-Enabled Global Group |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
1d6eea9825839d71a79ed93bd0f383b8826d8a1ca80c0d063e7f43e648b2d67c |
308 |
62 |
Crontab Enumeration |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
23f3512bc30a856ca1f3906b9e52716a70df17c2083065536ac9ea6176aaf3ba |
308 |
46 |
Suspicious XOR Encoded PowerShell Command |
Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
312888984ff0222cd7bd45936afd14feea146948ac0e6941f3e0513e56d51e65 |
307 |
0 |
Suspicious Unattend.xml File Access |
frack113 |
Sigma Integrated Rule Set (GitHub) |
ab4f3a9eb0931d1b25be0e6ec70048514d987acda1b98b078b334de53d084360 |
301 |
61 |
Potential Rundll32 Execution With DLL Stored In ADS |
Harjot Singh, '@cyb3rjy0t' |
Sigma Integrated Rule Set (GitHub) |
115d14851bb2ec7497bd4b28be653bf38f285d93d2dc7bbe1c9c7ac94a76da3f |
300 |
99 |
Suspicious PowerShell IEX Execution Patterns |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9cede5a1c6382a5e4dd57d439fbcb57f927088bb5c3e1d4019c03562c3b4f9e5 |
298 |
26 |
PDQ Deploy Remote Adminstartion Tool Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d4455289124296f34e652e21b22099e2dbeb914261581fba842def35d85a6d92 |
295 |
279 |
PowerShell Remote Session Creation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2edbd80b280a70f7636ca307800e2c61b25d829eca7c992125bf15782e91f688 |
295 |
166 |
Decode Base64 Encoded Text |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0f307ac40cafbbdb1e262b899732195a25952ad5bb013ca8e6d280eefd45a141 |
294 |
59 |
Suspicious Processes Spawned by Java.EXE |
Andreas Hunkeler (@Karneades), Florian Roth |
Sigma Integrated Rule Set (GitHub) |
0119b24f133d3f3142f84b35c30b7b1c417c4418f4d18098200208947ac5d041 |
294 |
89 |
Register Jar In Run Key |
Joe Security |
Joe Security Rule Set (GitHub) |
a251b526d9024ed7f489fe7b9c2182080e067f2d35068063c5fd326283d9b1ba |
293 |
1 |
PUA - Netcat Suspicious Execution |
frack113, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
358a95254318aa55ff499eb64277dff47957ac37c6370873673433bd55e77cf8 |
292 |
12 |
Potential PowerShell Execution Policy Tampering |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
49b185e25e68c30cebd01a44e72bda0c359c132bb364ef487a935de293813a78 |
292 |
90 |
Suspicious PowerShell Download - PoshModule |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
69130b2eb287f08303a7092222cc3a0be896a066b64f8b32f96d08ff4708e37f |
291 |
5 |
Windows Defender Real-Time Protection Disabled |
AlertIQ |
Sigma Integrated Rule Set (GitHub) |
19a5c3cad343931aed1e013cfe07ab95ba7b853ee5b40c6828fc766529e602bf |
290 |
3 |
Buffer Overflow Attempts |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ad1714ed24aec2fa28551a247a666369e496ada2acb48b02b3b266083d75e6b1 |
289 |
182 |
Outbound RDP Connections Over Non-Standard Tools |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
dbfca88ab9ee6831be6d244ddd8d59d64840215c6266895aed60b0192f60f226 |
288 |
3 |
UAC Bypass Using PkgMgr and DISM |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5b0ad2dce2b0a9bde121d5016b3379c08f507ccce3f43e43a65fe518a16ba50c |
285 |
30 |
Suspicious Curl File Upload - Linux |
Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update) |
Sigma Integrated Rule Set (GitHub) |
53df4e098ad6e906fbb05243a95d838a673d2ba830a6c9ee0cabeac59d2f9a9d |
284 |
235 |
CoViper Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c388ee7bf8678acd149ab04cc3dc6f3d923b3c2a7684f42de0c984c16de1c023 |
281 |
3 |
Manipulation of User Computer or Group Security Principals Across AD |
frack113 |
Sigma Integrated Rule Set (GitHub) |
080f39fb13644d7055303fabf2a4ace323c7ca1c92ffe33c37a94ed397cecedd |
280 |
74 |
Potential Persistence Via MyComputer Registry Keys |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f776409e7a0ad2cd5dbb2241bddedc4d94cffb55043ccb0254fd7266f7f10720 |
277 |
112 |
Bladabindi backdoor |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
21b5ec718fa5dffa5785f1bdf68d0bab711e89bf6d4613aab3af0c7d0acdbd0a |
276 |
0 |
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE |
jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
396c0639fa0d38dbd62b1c1baa0fae0b008178fb81dfebaf1cc70a858c610190 |
275 |
126 |
Search for Antivirus process |
Joe Security |
Joe Security Rule Set (GitHub) |
b0b2b7f76cb8009a5eba92496814aadf2b2a17d8f5ffdc4169a2a8a8b6335ee7 |
272 |
22 |
PowerView PowerShell Cmdlets - ScriptBlock |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
c9a0fa3e3f43c8762528ddcca56a26673a3f37eb9077f2657884e8b847fb9ba8 |
271 |
85 |
Potential Invoke-Mimikatz PowerShell Script |
Tim Rauch, Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
eea4b79cda06d89aedf4a8bef48f151e04c00dcefd21c9b9c8dcb3d1457b226a |
269 |
6 |
Suspicious Activity in Shell Commands |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9f38dd0d0f681b4185f6a6008d3904a10d8e2fe4e9dcf5aaba007262f1230dcb |
269 |
13 |
Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a4380ca308017f92e049147ec46e562ab46b9642b1952944647bb9bf85e4c95d |
266 |
18 |
Suspicious Schtasks Execution AppData Folder |
pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a09b70879bee26f128e93430015539e1b08567dd211bd7411ff6e600ed8d5f6b |
266 |
58 |
Remote Access Tool - ScreenConnect Remote Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
170e0c16739cbbdcf75e4053e9fa80a10dbe8a05bdeb1d83020ad37566d796b9 |
264 |
4 |
AddinUtil.EXE Execution From Uncommon Directory |
Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) |
Sigma Integrated Rule Set (GitHub) |
28cd83ce12bf7ac57977773f55d7b8b368541555cc375faa0ba5968fd2d99a60 |
263 |
8 |
Nltest.EXE Execution |
Arun Chauhan |
Sigma Integrated Rule Set (GitHub) |
03ddbba7f8c72cbe2e0de21552f7f8f8a101955c12556c2bdb06219c0c968836 |
263 |
141 |
Run temp file via regsvr32 |
Joe Security |
Joe Security Rule Set (GitHub) |
c70694dd88c0a5a32ad8a52ef4ad97a6525c281308ba84e791661580aab19264 |
260 |
31 |
Suspicious GPO Discovery With Get-GPO |
frack113 |
Sigma Integrated Rule Set (GitHub) |
039172cd0dec626a7758aecf1db76255b8994bc61501f3a732abb90dc4e88560 |
259 |
111 |
Linux Crypto Mining Indicators |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a54f90d76f6357c3494a27966d9ddc15850d9dd07fd3848ac2a031ac149bec1a |
258 |
4 |
Suspicious WebDav Client Execution Via Rundll32.EXE |
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a2c6a7629f2d0d6b18c2ce3cddbee5522cbf1f3e6e8bcf0692c9e9393724ebaf |
256 |
16 |
Uninstall Sysinternals Sysmon |
frack113 |
Sigma Integrated Rule Set (GitHub) |
422a2d0c4ea81e0f14306603309b37fedea591abe396235a46638eedb3aa069a |
256 |
4 |
Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
44eceb73238948cbe65640378028a4f9d3a835bd2929cd4b8462e465a825c85d |
254 |
38 |
Check external IP via Powershell |
Joe Security |
Joe Security Rule Set (GitHub) |
4b3ac3a4fac3672c92791075c26f1e10555eb3385628b923bccd8cbbd5dc83a1 |
252 |
42 |
WebDav Client Execution Via Rundll32.EXE |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
27f312fa081c26ea0c76a26a31e9c6fe7a974b36000c89db9e288fd1ca3a6e9e |
252 |
98 |
Suspicious Scheduled Task Name As GUID |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ef39cf85c48f12af91e233355369755a0620b84ae2ffacce7f740a2b429531d1 |
251 |
3 |
Potential 7za.DLL Sideloading |
X__Junior |
Sigma Integrated Rule Set (GitHub) |
aec40a5dfd8adbf624b6c870c2aaa6c94cbc9435be56b32bfce0204180123841 |
249 |
170 |
Csc.EXE Execution Form Potentially Suspicious Parent |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b0e07fc365ce0d0690c84a20e3467a5be2301d1c4de1e87bcbb9cb9ea841222c |
246 |
14 |
Whoami.EXE Execution From Privileged Process |
Florian Roth (Nextron Systems), Teymur Kheirkhabarov |
Sigma Integrated Rule Set (GitHub) |
f3863a9acecacb856747d09b6541ff99d6245853902c8785a4d4985fde12bf22 |
246 |
17 |
Bash Interactive Shell |
@d4ns4n_ |
Sigma Integrated Rule Set (GitHub) |
f79f3c90ed2814f8c1329307fde553431e9978c1fb579ef0824abb01a64310bf |
241 |
117 |
Potential Raspberry Robin Dot Ending File |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
36337e6a48c8f0ee0480d1739b35c93b2d000d9b86a4ac01dbf80b5960b6db32 |
236 |
84 |
Schedule CERTUTIL windows binary |
Joe Security |
Joe Security Rule Set (GitHub) |
5afe0a8f1f7fbc102dbeb6382c6e3e9702f05c872dee6c8309d805831b7dbbe2 |
236 |
0 |
Use of Pcalua For Execution |
Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
Sigma Integrated Rule Set (GitHub) |
15a88fc8b846a774c398a2350aba9d8b4203f0cbb095abb4035f8f0e2c3ca2d5 |
236 |
7 |
WMIC Remote Command Execution |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a72068f1e78b9563b352425ce5dd77aeaebcabfd4790a51a78cfd11d07e016a8 |
236 |
32 |
Suspicious exeplorer.exe execution |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
2f0a10e6befc35eb8cf3d8af89b1db1a84a53b5aff114a90c2d1b0a3a697d1ac |
235 |
26 |
Clearing Windows Console History |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
30041403950554ea68cae8436931add62874ca499364d423bd04a8ccb124d999 |
232 |
63 |
Cred Dump Tools Dropped Files |
Teymur Kheirkhabarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
45248d2871f8e9f12191effed010f35a307cc4e1eb1350ad7dd486fc07bc0bdb |
232 |
33 |
Suspicious Service Installed |
xknow (@xknow_infosec), xorxes (@xor_xes) |
Sigma Integrated Rule Set (GitHub) |
7cbbf00cea5dc446cd78a75bf887ac0cc4816a0c14fb2fc31cb6c2e5043641e3 |
231 |
8 |
Suspicious Office Token Search Via CLI |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d914cc65d6c2c6363da71b09c2053c49031ad5dd7762f7e08df307adf0892f8f |
228 |
109 |
PowerShell Base64 Encoded WMI Classes |
Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1d5a6acf8297313dfc47ed41e174ccbdcf2ac0a174e059a599f880ad761dfe89 |
226 |
1 |
Psexec Execution |
omkar72 |
Sigma Integrated Rule Set (GitHub) |
38908b57fac2bfb8f5f8466c64aa654432aa3d6f14700b122a4c4afb85f51879 |
226 |
3 |
Renamed CURL.EXE Execution |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e90bd630609a035372a71ff4471ee3d2e99ffb6464b8370ef394ea1a4d2c36f9 |
226 |
11 |
Suspicious HH.EXE Execution |
Maxim Pavlunin |
Sigma Integrated Rule Set (GitHub) |
f011f2d580ad7a21cd2da8b72d5734b707147be0ec1270fb20fc1aa455fd4d89 |
226 |
11 |
DarkGate - Autoit3.EXE Execution Parameters |
Micah Babinski |
Sigma Integrated Rule Set (GitHub) |
9d3ba304b0b049fd4dd6a95685a9801b6cc9da0ac7837b8c106f010aa4f79723 |
225 |
10 |
Detect Virtualbox Driver Installation OR Starting Of VMs |
Janantha Marasinghe |
Sigma Integrated Rule Set (GitHub) |
3cbde0faee76f7509cfde702c1c324a83ac88cb58f0e0f74b2682a9b60369b1e |
224 |
77 |
WinDivert Driver Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b7ad594d8528d4ee4c0201b1a0852d42e9fc45976e984ed534f502290031e73a |
224 |
50 |
PUA - Process Hacker Driver Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b0d1bb8b34cc8998b5c64517d209194141fc1ade58d04a41bb18fd11be56edfc |
223 |
0 |
PoetRAT detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
9d199db1a634577d3f5cc20a856125c4d011cf3785ae959ddad5ca77431d81a2 |
223 |
0 |
DUNIHI Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
f4f15f4329fad912838474d3d5eb2925ae7045b2046b5dcf92c7c16c189927b5 |
220 |
0 |
Indicator Removal on Host - Clear Mac System Logs |
remotephone, oscd.community |
Sigma Integrated Rule Set (GitHub) |
adfe5f99b6a812a149fe86b53528239d9e7938e56d2864d1403950040a11e57b |
220 |
94 |
PUA - Fast Reverse Proxy (FRP) Execution |
frack113, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
2efa94e8cb6d016973ddbda2ca94b9db0d935bf31c7d4ede736b02e9d8ed25aa |
220 |
0 |
TAINTEDSCRIBE - North Korean Trojan (Hidden Cobra) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
97f6a22231c4c8e243c104bf226d8fd3875f335f00fc724750e6b691770fbc5a |
220 |
122 |
PUA - Rclone Execution |
Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group |
Sigma Integrated Rule Set (GitHub) |
d682d09d3c15912248f0f367d755338bbf871b25380f62525ba288c8bf90689e |
219 |
110 |
Potentially Suspicious Child Process Of ClickOnce Application |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
920fe62cf594dbba4b9849105e6af672ef9c197f7184586a009e3195bdd1c925 |
218 |
40 |
Suspicious Download Via Certutil.EXE |
Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
58420e39c1212a7677f357957516cbc90081f03f0eff5a93e3fa8476eefebfcf |
217 |
21 |
Dism Remove Online Package |
frack113 |
Sigma Integrated Rule Set (GitHub) |
835544e76c588c424d064ff04c81b644c875fe6499d31ecb188d5e3e59f4e72d |
216 |
91 |
HackTool - Certify Execution |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1feb34fc6cb1b6cc6e7f79cf3437684366634b5dbbdfd6e053e0f07cdecdd327 |
216 |
66 |
Suspicious GUP Usage |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e52de558a2f45ea0c3633bf97f5181779246c0964d7003bd012f344221f012ba |
216 |
13 |
RDP Sensitive Settings Changed |
Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
e6aa587c97733e016f1b4f6f624300aedfd416066f9b69512bd9ab43d8b81d61 |
215 |
21 |
Suspicious Curl Change User Agents |
frack113 |
Sigma Integrated Rule Set (GitHub) |
93f12e3e5c1af45ad5cce51fca771889beae9d1da27d23d889c557f217fc803f |
212 |
6 |
Suspicious Epmap Connection |
frack113, Tim Shelton (fps) |
Sigma Integrated Rule Set (GitHub) |
f7111a6bcb3ca53bd2233e4c87e194a56653dc72a81d92c78e707b7348c4f241 |
212 |
12 |
LOLBIN Execution Of The FTP.EXE Binary |
Victor Sergeev, oscd.community |
Sigma Integrated Rule Set (GitHub) |
89f260c1bb244a6c153a5d3a5951ec6f517e5e846823da8b22d1b5192f798e62 |
209 |
31 |
Netsh Allow Group Policy on Microsoft Defender Firewall |
frack113 |
Sigma Integrated Rule Set (GitHub) |
631a83ba9daa9bb7ff02be55784068db1eeaa6935ea10809a1b8a8cf4ce2abd3 |
209 |
45 |
InfDefaultInstall.exe .inf Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f6602c9cc48a37aa44fbfc4ffe4560e8f37e1934e365a235af4ae61c9571ded1 |
208 |
27 |
Service StartupType Change Via PowerShell Set-Service |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a1369ba6b294845b80eaa8e066a683a25e6d2cd458f78a519a4aa7cea4b3fba1 |
208 |
66 |
EQNEDT32.EXE connecting to internet |
Joe Security |
Joe Security Rule Set (GitHub) |
3b421cd3a4401c0dfc3d2c5613d705669e2bdcf8d998c4e363d2e1e5cbd328d4 |
206 |
0 |
HackTool - Koadic Execution |
wagga, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
c5d484cc0502bed15307c6bcc483ba03518aaa99ca3cca09b01da3ea57317777 |
206 |
6 |
Suspicious Microsoft OneNote Child Process |
Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
c2b8793bc5dc3f78c117608b17e59499e853d298dba8c03f56b4bbcd6d0c0f16 |
206 |
2 |
Set custom UserAgent and download file via Powershell |
Joe Security |
Joe Security Rule Set (GitHub) |
e582e78adeafd207d6a2f3d950ffcb4127273371fb705b3ef4b6930eb5bb79d5 |
204 |
1 |
credwiz.exe DLL side loading |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
d83f2abd95409ecc8fb4d4930072a48b4a677def3d31b022a95e99d5873fc27a |
204 |
41 |
Copy From Or To Admin Share Or Sysvol Folder |
Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
253df726683ee378cff180cb32526ec9f10b897edda084113b11cbeba118fbe3 |
203 |
35 |
PUA - System Informer Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a00758f1aca02cbafe08dfea3c9d6fc45ef3972d7e1ccc41ef3df19293c36d15 |
203 |
21 |
EVTX Created In Uncommon Location |
D3F7A5105 |
Sigma Integrated Rule Set (GitHub) |
be104b5c33d23ea5b193fa207267ec1f1058e6a2096a14b67fc5c957fdb94b85 |
201 |
108 |
Valak Behavior (Sysmon and Cmdline) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
7703b5b01adde91ddc9f6ec5a2ba30dd35be11277cad519ecdf5442a8358319f |
200 |
37 |
Compressed File Extraction Via Tar.EXE |
AdmU3 |
Sigma Integrated Rule Set (GitHub) |
b0ed746e9cd2eab869bddc4a8122b28ee59bdf9fb2bedec78463b8df812919f3 |
197 |
91 |
Payload Decoded and Decrypted via Built-in Utilities |
Tim Rauch (rule), Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
8df9869d57c609e184a4e1d02d938d96351116a7e5fe08436fb539b7cb675267 |
196 |
0 |
Disable Or Stop Services |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0aefa5af3ce18645188a34cbad40ebfc008ebab07e5d5404a636792bb7023634 |
195 |
101 |
Suspicious Download From Direct IP Via Bitsadmin |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
341222e0eba20f3fbf807a78669d6bd5ab3f6245589b85086cece2a9518283ca |
195 |
19 |
Change User Agents with WebRequest |
frack113 |
Sigma Integrated Rule Set (GitHub) |
024c79f380ec5ead6ad1ccc07deb79a5a281021a443831220b62f700f9cfe3d5 |
194 |
85 |
Suspicious Process By Web Server Process |
Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ca0321ec695742141eb7a3fb00dfc04170d24e00d3f021803c488451d9c4648f |
194 |
3 |
Schedule script from internet via mshta |
Joe Security |
Joe Security Rule Set (GitHub) |
a3c2a24a999f3a9870f6ace27e73e7bdf30d18dcf0bc4873bfe196f5bec81ad4 |
193 |
0 |
Suspicious Obfuscated PowerShell Code |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d8233999a8d30f6ee903ed094bc3c6fe4008a4be43a580311a9d379867e54538 |
193 |
10 |
Persistence Via TypedPaths - CommandLine |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3f78ff7ab6850cb34de03f0d9dd46de9ae0b96b1eeb140dcda89aabc2b7462a0 |
192 |
55 |
Suspicious Creation with Colorcpl |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4a29af926d08877fafd396f3d616bf6c90064503754db0460c36b7c0dd99dbbc |
192 |
6 |
Clear Linux Logs |
Ömer Günal, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4a4b8d80ea9937a6728e92b1079891255ed26e302f37e290db84bbaffc71c386 |
189 |
63 |
PowerShell Base64 Encoded IEX Cmdlet |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6011c0e706a0ea8a69892186b9808f52466832e2c60ea353b876a15100a2c891 |
189 |
0 |
Shedule hidden powershell script |
Joe Security |
Joe Security Rule Set (GitHub) |
9277300d8dfe7cfc29e41129553c4d7c59c4b709d4b1716c8fe9cc037c9bc29d |
189 |
13 |
Disable PUA Protection on Windows Defender |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
09a64c87ba1b11c75a19c495d100b0ef9fa95955560f0e1b4f9f2842159caaef |
188 |
1 |
Renamed Whoami Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f22be736aa7b4ddd0d6ce96e785fbb7adbcb991517763b72a098333df9610f14 |
188 |
4 |
Possible Process Enumeration (Sysmon/Windows Logs). |
Roman Ranskyi |
SOC Prime Threat Detection Marketplace |
1b3947466060dff55a89da9e24ec34cca8df9c4dbf704a3b3a9120eb3df96e3a |
187 |
120 |
PowerShell Hotfix Enumeration |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6715493a73f1ae31ce901cd48d6907aafa006d047fa07301d790319a8ff89813 |
187 |
123 |
CrashControl CrashDump Disabled |
Tobias Michalski (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
de530c1426a408ae40cc5a51e752587348efab456b3dcc12204b8c47a389eb83 |
182 |
7 |
msiexec download and execute |
Joe Security |
Joe Security Rule Set (GitHub) |
80df93b91d026bd6faf3f28497aecc8b5a81a6553fe9336a204b11f4dcef8733 |
182 |
1 |
Root Certificate Installed - PowerShell |
oscd.community, @redcanary, Zach Stanford @svch0st |
Sigma Integrated Rule Set (GitHub) |
0226d2c44e3b81cd4d31e7a8e55f6a3e3835b44939f721d5527b610071ebf40b |
180 |
81 |
PowerShell Create Local User |
@ROxPinTeddy |
Sigma Integrated Rule Set (GitHub) |
065b49beca5cc42953a5612a7a5342fd18266f128a46b1a788c3f358f775a191 |
179 |
46 |
Uncommon Extension Shim Database Installation Via Sdbinst.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
813f8997c08df471ef89b590a0967a9068aaf4baa601376fcc7dc9060d98dfb0 |
179 |
84 |
Persistence Via Sudoers Files |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f8ee3ba4187b3d0d1e52e0c2db8dd9b1bca93d09c84da45024fc646b37179ae9 |
178 |
6 |
Uncommon Child Processes Of SndVol.exe |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ae29aa8c58d6f592b709707a80042a957eb54a89d6411f1fe9b6bf12bd4f225c |
178 |
0 |
PUA - Seatbelt Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c38f8f9eadbe19471d3a16edc3057b1660a29e4b74e90fb2ff929df10c440a40 |
177 |
2 |
RDP Connection Allowed Via Netsh.EXE |
Sander Wiebing |
Sigma Integrated Rule Set (GitHub) |
0edbdff715350e06427add8d168d0d14de79ec048ea17f4a243589e2ccdc63df |
176 |
18 |
Saefko RAT (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e036021928c6159521691ec6551a2b2c660a651ff2c69171bb3db4fc676b2e17 |
176 |
0 |
Potential Powershell ReverseShell Connection |
FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1b46ecd9aa9660208e7f7cbb3e4ad79d7fc469adb5c2c5dc81af712ebce9b80c |
175 |
14 |
New Process Created Via Wmic.EXE |
Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community |
Sigma Integrated Rule Set (GitHub) |
29ea4c436137aafe4f4ab08ff716f2a03e416beb0802c5a009cfb266b5d948c6 |
174 |
4 |
Obfuscated IP Download Activity |
Florian Roth (Nextron Systems), X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ffc754712d43996d8ad6fc8498ab7057e29da0a46860be0cb0daab6dd58f1afc |
174 |
29 |
Odbcconf.EXE Suspicious DLL Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
16ea31e234af1f8991ca97669b5681616ecdd409eacb4c3b0b4e2cc3febfd702 |
174 |
40 |
Potential Persistence Attempt Via Existing Service Tampering |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
01b2124bf0e9019139ef617d15b67080610ffd3584d4fa0cf7c646bd3f11853b |
174 |
37 |
AADInternals PowerShell Cmdlets Execution - PsScript |
Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6d5567356ba0845cc4858843f110d6459b2d79576a5e0139dd7b2218b9f556e8 |
173 |
165 |
Disabled Windows Defender Eventlog |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d8e5c8a4902824901a6b91baa07694ac8ea9e13689cebd342572a8b546bad5bc |
173 |
3 |
Remove Scheduled Cron Task/Job |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a0e343af9ac4b19a8ff9f0cd81d30a29e473fb0938c05d141f74e93d6b7d8f83 |
173 |
12 |
Winlogon Helper DLL |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
071f1cce27ada52da178afa07fd609ed14967f9058b386611411962f4c56b665 |
173 |
84 |
Network Connection Initiated To Mega.nz |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f13e798225ef1d32c44d8511ab7c95a58e93d46b8c833bfb47f55eb5d9bb69e2 |
172 |
39 |
Suspicious Child Process Of Wermgr.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
656aa4cd1d10955cd1240f1e010961aaeabc323850ef28dcdecc9f334ffabd54 |
172 |
1 |
Potential DLL Sideloading Via ClassicExplorer32.dll |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8fd7600f68e8c01123815959e3b174b06eb3794d62cb511c05e49548a44bebf2 |
170 |
39 |
Use of Remote.exe |
Christopher Peacock @SecurePeacock, SCYTHE @scythe_io |
Sigma Integrated Rule Set (GitHub) |
598030e3b99748bb98e1a8c78a24023b80499c1526fd7b7719b5265a781b5402 |
170 |
56 |
Compress Data and Lock With Password for Exfiltration With 7-ZIP |
frack113 |
Sigma Integrated Rule Set (GitHub) |
227d06b807fcca01531502ab9bf3471b44a2e7db88394d5d03f7e07a11adc2e3 |
169 |
85 |
Code Injection by ld.so Preload |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ef655b20c81f4dddb081e2c7fe6c60ee0ea86d7e37cdf55fe02cd0c8586de4d1 |
168 |
18 |
PsExec Service Execution |
Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6ce71be75a7090fc85bf7d41e3b363a7a4dce58549844db0c3e5d9d3b32a3e0e |
168 |
8 |
Password Provided In Command Line Of Net.EXE |
Tim Shelton (HAWK.IO) |
Sigma Integrated Rule Set (GitHub) |
356834a41f1b8ed94c954435f27d64f970ba67b17ac5474ddb8357cfbb8de8d8 |
167 |
55 |
Potential Suspicious Mofcomp Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
890b5bcddab8d41ea499e521d3dabfb62f66e175c7e5968407080b5c7a4f2aa8 |
167 |
100 |
Base64 MZ Header In CommandLine |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
754e38d8c28a41c5d8fab94446819cba31374961a938b11c2766647ee5dda64c |
166 |
7 |
Potentially Suspicious Shell Script Creation in Profile Folder |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
75fbf85188235a403847898f76531554e988c5316df1299753442fad2ee0b7b1 |
166 |
39 |
PowerShell Script Execution Policy Enabled |
Nasreddine Bencherchali (Nextron Systems), Thurein Oo |
Sigma Integrated Rule Set (GitHub) |
7d44a600e53e8dc468836aa200851d612b4e9d0cce60dc1cf0b2ddc30551134c |
166 |
3 |
Suspicious New-PSDrive to Admin Share |
frack113 |
Sigma Integrated Rule Set (GitHub) |
9b5bc7e38efe4f1b17f2a923ca4fbbd1303baf2899f224b7e40278aea60cfc64 |
165 |
63 |
Local Groups Discovery - Linux |
Ömer Günal, Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0b93262008400f8b22d04eac398727ff17377f8b7f399741a879ed674b5940f3 |
163 |
84 |
Potential Recon Activity Using DriverQuery.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c887795f89a95940c21235ec7fff122040bc4c53b14e9a9ba700193f3a7db228 |
163 |
53 |
Schtasks From Suspicious Folders |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
afcc7387bfcf1a39c26eb91bc6b000368dba233e0d6405a1ed3dc8b8e436f18e |
163 |
70 |
Outlook Security Settings Updated - Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
ad1841979098a6b76c24ea780263b9da230373dc9a0d48d841538ec02cecb447 |
162 |
115 |
Suspicious Unblock-File |
frack113 |
Sigma Integrated Rule Set (GitHub) |
71c164abf414b20e2e799e16de648202a68a8205db9f81d0dd28495ba9ce1ce7 |
161 |
79 |
Application Terminated Via Wmic.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2db6346fec29f9d33fb9a84eeb0843c8dbb41e4c167ba165566d4a1f5b9c921c |
160 |
37 |
Compressed File Creation Via Tar.EXE |
Nasreddine Bencherchali (Nextron Systems), AdmU3 |
Sigma Integrated Rule Set (GitHub) |
982905654574a9a7d204ef080147616dc585ddf0111f74d517a85ff94fcf04e7 |
160 |
63 |
Kill multiple process |
Joe Security |
Joe Security Rule Set (GitHub) |
868e81758b31ab7d5c37adbd3798dbc1effacb9eeaad44e5f6c5f41c409fb786 |
160 |
0 |
Windows Registry Trust Record Modification |
Antonlovesdnb, Trent Liffick (@tliffick) |
Sigma Integrated Rule Set (GitHub) |
9292d14bdf79582c701fad33de8f018f0151bb6acfc181fba0dd5d223cee498c |
157 |
56 |
HackTool - CrackMapExec Execution Patterns |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
4adf455dcb8e143b4df56b115b6a64714aa6d18f105e8e3d9859c02f686e393b |
156 |
81 |
Schedule binary from dotnet directory |
Joe Security |
Joe Security Rule Set (GitHub) |
3c44dc412b67786cb131e2f723dbcfd035125eb3c04b66bc8baf4a7efe0ac581 |
156 |
0 |
Suspicious File Download From IP Via Curl.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ae613ed890bf3b871457b4c8ae4286d26be7254491c8e47c38fab809c4375d42 |
155 |
16 |
MZRevenge Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
34b4fad92956929789617ef0c367187e5950267fc9fb902893bf5a6583ab5439 |
154 |
0 |
PsExec Service File Creation |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
2638e4eb6733f565f75759fc7f3c7b2ce2d92f7a231f14859cad11aa82b929e9 |
154 |
11 |
LSASS Process Memory Dump Files |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
532253e22b4c2a6410e693838434b30d959a9ebc0c04a0c861eeb9d593879009 |
153 |
5 |
Nohup Execution |
Christopher Peacock @SecurePeacock, SCYTHE @scythe_io |
Sigma Integrated Rule Set (GitHub) |
bad6dfec2abf828a85fe50bc6fb16600e7090a7d73658e2ae431aec1555bcbec |
153 |
56 |
Schedule VBS From Appdata |
Joe Security |
Joe Security Rule Set (GitHub) |
b16d941c7cf2248881a4d3da266d63655713389cafe7f2606ceb2b73fbace067 |
153 |
30 |
Delete Shadow Copy Via Powershell |
Joe Security |
Joe Security Rule Set (GitHub) |
d91fb994dcf44dbdd52950e6db5cdf99eba912926494deb2f92f3f2dbf232740 |
152 |
0 |
Local Groups Reconnaissance Via Wmic.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
386f2bc7492f0e981a3ff4d07a1e865250fb5f4de55f43a70e9ca3e91bd61e31 |
151 |
14 |
ClickOnce Trust Prompt Tampering |
@SerkinValery, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0074b65628de8c068abdf29904b82da56361668862472dad4f92969c6bee1cf5 |
150 |
148 |
Command Line Execution with Suspicious URL and AppData Strings |
Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0585dd5b67e1bced48ad1dc8f9e0b66fd4e44c6e7c14dd5b385950c97e15b768 |
150 |
6 |
New Port Forwarding Rule Added Via Netsh.EXE |
Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
00fb9d21500af7c2b136a91e80c983e8f98843c063a63898c2775d7a5a91efa9 |
150 |
9 |
PUA - Radmin Viewer Utility Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
656b04cfc858a6fe2bf9dd2c3fc9b7beef1f30399b5817f0ad3a3862463f3783 |
150 |
2 |
Powershell downloading file from url shortener site |
Joe Security |
Joe Security Rule Set (GitHub) |
f05d1fcd81ae053d34629eef4e2f082dd51622b2535713f47860649c3619d085 |
150 |
50 |
Suspicious Hyper-V Cmdlets |
frack113 |
Sigma Integrated Rule Set (GitHub) |
62e075896842e5b2072a0b1610a9995667d1edd599e21657ffe829aa871cc56d |
149 |
109 |
Ufw Force Stop Using Ufw-Init |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
3b99cfddafbe928cbdbe1bffc59282013b9389bce664830e434b17c6c47769d5 |
149 |
13 |
MZRevenge Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c5132d9b7ddc56b36fc0095350bd8556ff7fc29c750387be3e0344beddf41f7b |
147 |
77 |
Potentially Suspicious Child Process Of WinRAR.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3403fa242d939f60babe764c3b8083029e83943b7f7347ae53b880b8fdef114c |
147 |
1 |
Powershell Timestomp |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5b5656801277c44d48ce3c9f4c8c393d55f8c0943d2c641d4968a012bd160f38 |
147 |
60 |
Suspicious Extrac32 Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
22466d36eb86be8a2f88344d2ad8707352f79b184489f7bc14547bcc6c82b9c1 |
147 |
57 |
NetNTLM Downgrade Attack - Registry |
Florian Roth (Nextron Systems), wagga |
Sigma Integrated Rule Set (GitHub) |
5bced7470eb37ada15efd448b0a87615727c93557e648e225c3ee894c4b0ff08 |
146 |
19 |
Password Filter DLL Modification (Sysmon Behavior) |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
cdcaebb2c5505eed7b1cf8cbaff3316fe62d1be1354a3d77d6e25bca67c753d6 |
146 |
76 |
System Control Panel Item Loaded From Uncommon Location |
Anish Bogati |
Sigma Integrated Rule Set (GitHub) |
7558a1c97a7b2400810934778152ef86113f31961b7d88655f0384652da936fb |
146 |
28 |
Disable Security Tools |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d934cd2adbdfb7c12ed5f937e36ed253d3f53495f0194507c0ea80b55f983957 |
145 |
38 |
Potential AMSI COM Server Hijacking |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
738acd800035a9376f9c5ed9937f647fdc87ccefc57ccd0fab07a3fc108fa255 |
145 |
27 |
Security Support Provider (SSP) Added to LSA Configuration |
iwillkeepwatch |
Sigma Integrated Rule Set (GitHub) |
303ed88ac4fc55c5f589ac99388d35769e708b361f23a767523b143a6751efc0 |
145 |
73 |
Suspicious Eventlog Clear |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a049127770d6c92e914c0806277852c3b69f5e9cc86ca0f687e50e60c12d8868 |
145 |
44 |
HackTool - Empire PowerShell Launch Parameters |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dae7277357ad237d5dfceb985bdbbaffa777a494f5cab14f067003795d395650 |
144 |
1 |
Potential Raspberry Robin CPL Execution Activity |
Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
c297c796b6f3b39c781e4e772cfee6de320f223e025982fd520d4128f069085e |
144 |
0 |
Custom File Open Handler Executes PowerShell |
CD_R0M_ |
Sigma Integrated Rule Set (GitHub) |
e441ec55e6c79f736b37301c124beac89f633c990d45a175da5e134af80e91c6 |
143 |
15 |
Mstsc.EXE Execution With Local RDP File |
Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock |
Sigma Integrated Rule Set (GitHub) |
4476f97756130311a92e0412033fd3fdacf6c62d0eb95901dcab7519a0236740 |
142 |
31 |
Pass the Hash Activity 2 |
Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) |
Sigma Integrated Rule Set (GitHub) |
1e58f3b3a12845dad6be8befe76f8a0368d994ad5b069e672ac85d329bf336ed |
142 |
2 |
Potentially Suspicious DLL Registered Via Odbcconf.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
391646c8321e490960603a2b21d983579e26c6c48aced031950d46bf9cbc4799 |
142 |
40 |
Service Started/Stopped Via Wmic.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2e3d78c5e41e6de41cac9e7f1872a39a27300e4078b7a403b7c6d4f0ca96daba |
142 |
22 |
Harvesting Of Wifi Credentials Via Netsh.EXE |
Andreas Hunkeler (@Karneades), oscd.community |
Sigma Integrated Rule Set (GitHub) |
9d07a4fa9892ca001b30724fd1594eff85b72585c8f1106889da7e97608509b4 |
141 |
6 |
Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
25caa714d53ce1601014e133c61d1dd3b361938e96a8ab5f410b0f3de1c8f8c9 |
141 |
2 |
Windows Admin Share Mount Via Net.EXE |
oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga |
Sigma Integrated Rule Set (GitHub) |
816c82737c8262b4f167d02b04198105def46bd23ea282a655786d387e88118c |
141 |
21 |
Rare Remote Thread Creation By Uncommon Source Image |
Perez Diego (@darkquassar), oscd.community |
Sigma Integrated Rule Set (GitHub) |
11642a2b68a439e8804e904e15e5f8d7463330056739adb17310fefab75d3585 |
140 |
2 |
Suspicious Get Information for SMB Share |
frack113 |
Sigma Integrated Rule Set (GitHub) |
78af9841681cc3ae06f2b42827aa5b5f54e7e1cd67967a87cc99a5e7d4cfe18d |
140 |
96 |
Flush Iptables Ufw Chain |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
7bad36edd1846bfc2bf6f4e3318e8d1794ee3eafa59a025658cecfb8bde246f3 |
139 |
12 |
New BITS Job Created Via Bitsadmin |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1bd7a375097c5f1afa59522776e79bf741057e59bdf9df33985fe7db095c655c |
139 |
44 |
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2291b42b147dc3089126be94f1bf34506fa822ea41904e0632fbe519dd3799a8 |
139 |
8 |
SoreFang Malware (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
ef69867dec66e047e8894803bca76813e63b7a2f0d2bc6938e903f4accf5ae76 |
137 |
47 |
Potential Shim Database Persistence via Sdbinst.EXE |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
f228d8546016f76e5942e38208fa8a55735339d54ec3f56e63b2b9133b037a7c |
136 |
43 |
PowerShell Credential Prompt |
John Lambert (idea), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3673ff480d9b6da69d58b49cdbd4653446b39552e94717447405039cbb476c09 |
136 |
97 |
Load Of RstrtMgr.DLL By A Suspicious Process |
Luc Génaux |
Sigma Integrated Rule Set (GitHub) |
768defcb9e242825579cefb1548499d288a81e43688bc48e91a51f9755a14106 |
135 |
4 |
Active Directory Group Enumeration With Get-AdGroup |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2363089b66b3f43001c4d30a1a0d4a7a622db02c1b8f68a3aa3be7c674be645f |
133 |
94 |
Suspicious Workstation Locking via Rundll32 |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7077cb988db6f3b9dad54bcebad8cd59c0e62dd4b3f4f99d281d5e2b721c92bf |
133 |
49 |
Disable of ETW Trace |
@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d85308a28516fa075ee74a4ffd11aea2be1f15add944422ade0969027648a3fa |
131 |
30 |
RDP Hijacking. RDP port changed. |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
a917e763c89ea31922fe3dede8cc03c807a8b52f1a6f9eb0152291fea14c9416 |
131 |
9 |
HackTool - Rubeus Execution - ScriptBlock |
Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
98b35d6064ab9d23d69cf136567c9243c969bd5a1bf0f88f94c768bb1c624d71 |
129 |
2 |
Vulnerable Dell BIOS Update Driver Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
10577bdb5cec4b94b7c1d5ddcb04041555da105e51850313907d995a05c68dee |
128 |
66 |
Security Privileges Enumeration Via Whoami.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a9f6af870a74ed20bfbc784983dc7fa8aae28d336e2f79a8fa8b72c32d6a9fa0 |
127 |
37 |
Remove Immutable File Attribute |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
317e93721a5522556a572030086fc84621a557cc5edeccf22ab7af63689a5661 |
126 |
25 |
Active Directory Parsing DLL Loaded Via Office Application |
Antonlovesdnb |
Sigma Integrated Rule Set (GitHub) |
6691a047173376a6c37e4a5a5a2ca36610041e928c2900eb7665491f798ff07e |
125 |
89 |
Potential Webshell Creation On Static Website |
Beyu Denis, oscd.community, Tim Shelton, Thurein Oo |
Sigma Integrated Rule Set (GitHub) |
a52a436bb2117d8c22878afc1facac963ffa5feca0046433c94396c44991c948 |
125 |
70 |
Hiding User Account Via SpecialAccounts Registry Key |
Nasreddine Bencherchali (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
c5763f84925887a9d36054776ddf6d48e47d552ec2e7fed586026049488c127c |
124 |
36 |
Potential Azure Browser SSO Abuse |
Den Iuzvyk |
Sigma Integrated Rule Set (GitHub) |
08cc3358fc66df84bafea574255088ebf9e6d0b56cc08317abc1bc31f94bab4b |
124 |
56 |
System Integrity Protection (SIP) Enumeration |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
7cac7de2df55c2e3a6ea2825dc0a8ee65b4fa8c5e20a648776883eef5ed47cc4 |
124 |
99 |
Download File To Potentially Suspicious Directory Via Wget |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
c14acc44b7a21724d221a1ace54effc332427d0340619e20a9dc8a66cec01ec7 |
121 |
98 |
Potentially Suspicious Desktop Background Change Using Reg.EXE |
Stephen Lincoln @slincoln-aiq (AttackIQ) |
Sigma Integrated Rule Set (GitHub) |
ad9e20584fed7e2a67c1b21ac30b801ba17f35dfe33a1200cfcc4af157454cfe |
121 |
35 |
Wake-On-Lan |
Joe Security |
Joe Security Rule Set (GitHub) |
7695d2af7ecb7540baa69cd6442745f2c3bdd83d21c904b7a09b2d560c123439 |
119 |
2 |
Request A Single Ticket via PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7b7092f37f648c00a538947e2cb178b5c50e31e552b8bff8251ffaf4d4e49a68 |
117 |
10 |
PUA - Nimgrab Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
91bdf8703cfbad287d4568a09b53790b20efdead5896d044bccf4d80efab7970 |
116 |
0 |
WSL Child Process Anomaly |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
39a511112093810c2b82b35c4c8575b0f249dc7b9e8631fe75c6481c5c7e2658 |
116 |
0 |
New File Association Using Exefile |
Andreas Hunkeler (@Karneades) |
Sigma Integrated Rule Set (GitHub) |
3616394136d97f22be2d8a0718627a44f64289b519a8ab455bef574a2a43961a |
114 |
2 |
New Remote Desktop Connection Initiated Via Mstsc.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
257b13d5b7127756fd3872ae69c87afe430e3a8d7933cef87a19e05fc1658d70 |
114 |
30 |
Winlogon AllowMultipleTSSessions Enable |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4727efa76db9ecb53c0dd7505b171422c948b4b68999ca9c8f1a47f11a387ff6 |
114 |
7 |
Control Panel Items |
Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) |
Sigma Integrated Rule Set (GitHub) |
2f683c72a6ae438b4161918b9e82bb9c7e09f701f65f85be9231ced52084f219 |
113 |
24 |
Fsutil Drive Enumeration |
Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' |
Sigma Integrated Rule Set (GitHub) |
29dde5587c090e85fff677c9d2643ac2deba99c10c07e68a2e71407af9991486 |
113 |
34 |
Potential DLL File Download Via PowerShell Invoke-WebRequest |
Florian Roth (Nextron Systems), Hieu Tran |
Sigma Integrated Rule Set (GitHub) |
abaf76ffe44f9fecc068eae92c53e3c5c4059258b40f40eafc69759c4661d667 |
113 |
21 |
WMI Event Subscription |
Tom Ueltschi (@c_APT_ure) |
Sigma Integrated Rule Set (GitHub) |
07b95c7eb376ac65a345dc6a2c1cb03732e085818d93bd1ea2e7d3706619d78e |
113 |
22 |
Potential Arbitrary Command Execution Using Msdt.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
96f35178aca93f73311713ffbcade7354646a1facaf7c2fce0201147d4b4b5c0 |
112 |
1 |
Powershell add exclusion path, extension and process |
Joe Security |
Joe Security Rule Set (GitHub) |
177e7b167f988da0ec82090f6aaaa1ad7e74609b6832a0abb8759bc9e652fee2 |
112 |
1 |
Lazarus System Binary Masquerading |
Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1) |
Sigma Integrated Rule Set (GitHub) |
d945c7338838af1692c329f71f050302338029127281ca66006ba926c9a9d854 |
111 |
1 |
PUA - Chisel Tunneling Tool Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2d130c854a78ff4630994ab2107c3a8b18cc55785432c30b32d253f1c219289a |
111 |
2 |
Wusa Extracting Cab Files |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fb45aeb08550a3b51cede01e424c60a35987f3cba89d7a2e08d5783975154bda |
111 |
10 |
Potentially Suspicious Ping/Copy Command Combination |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2dc5d25da9f75ae324bd1ef4e2e4fb2084251a622beac794700223e8c20907a3 |
109 |
0 |
Gpresult Display Group Policy Information |
frack113 |
Sigma Integrated Rule Set (GitHub) |
fdd0ef0378b9c7a67394fe97fcd782578201d6012af812d4f19483149704a866 |
108 |
33 |
Internet Explorer DisableFirstRunCustomize Enabled |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b5977f01764dc3b0e2e3b7592943fc4bb6b4e55d5fcec607c905ea26d222e9c6 |
108 |
12 |
Port Forwarding Activity Via SSH.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c815b3703c48114366c7be5b543fc8851073e1b27fde789d784a09a657295a9d |
108 |
19 |
Suspicious Execution of Shutdown to Log Out |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3970bd95a88d05869fab2e89b8b02fda81406f83ecd9e197b1249a06a3f8eb62 |
108 |
30 |
Potential Persistence Via GlobalFlags |
Karneades, Jonhnathan Ribeiro, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
94ec0949b00016f88171e5d46125aad5bcbd3980d50085c2ae009dcd34e39190 |
107 |
16 |
Ramsay Malware Behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
9a24e548df204cab86a6489b32a696d4f00e8933893536c518bc73e457c7f3a0 |
107 |
29 |
Suspicious Outlook Child Process |
Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team |
Sigma Integrated Rule Set (GitHub) |
b05b4cfe9fd991fdb7151994946888d5558694fb5cd0726cb437ec39e393a597 |
107 |
2 |
Potential CCleanerDU.DLL Sideloading |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5009a283b0a4eb41a0b527ce473a2e7865766f8bcdb943ddebb06bc75f1c479f |
106 |
61 |
Procdump Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c3f48ada664e96b916cbb2ed88c7f622ced143f3f9e2c039bd4516f81e1c1e4a |
106 |
65 |
Suspicious SSL Connection |
frack113 |
Sigma Integrated Rule Set (GitHub) |
862ef09072518dbd7b5900500c4908a6284ee88f03b45ad0c0b20f3eb495f645 |
106 |
3 |
Lolbin Ssh.exe Use As Proxy |
frack113, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
2055166f6099144ebb73ce53abe7aadcd74447fb30806756d8fe22ac92352f1d |
105 |
22 |
Suspicious MSDT Parent Process |
Nextron Systems |
Sigma Integrated Rule Set (GitHub) |
22974e8b759cb4125a56f2d16e37f8fa3020d7ae087aad754afe46386ea694e0 |
105 |
59 |
WMI Remote Command Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c63cb58172dccb53cf9cd1dd7f6a65cc8843987d003bcbb7b0c1e7769c3821c4 |
105 |
28 |
Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
c654002dc2859e8a2f74ec87ad6ff4deaaf0f42f99603aa964e30ed1b1f01cc1 |
104 |
2 |
Cmstp Making Network Connection |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3ee0f25c3d0b70476bccad0e57a0351cf8822d966bb558a9a49836dccbc9fe41 |
104 |
0 |
Sysmon Configuration Error |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1cd7d30672aa97bf7ad987f1430427c4badcaf9359b200f28071d8b243834f07 |
104 |
9 |
DarkGate |
Joe Security |
Joe Security Rule Set (GitHub) |
dfc9dcb8ede2865dff1a44cb75938a2bc7fdc4d1e1df42cbe2d0cbc6472da1a1 |
103 |
0 |
MMC20 Lateral Movement |
@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea) |
Sigma Integrated Rule Set (GitHub) |
047087ddae3ef4f27e871131c79addb166cb71593c4fb795a5d119d4d78cd0a7 |
103 |
2 |
Malicious Base64 Encoded PowerShell Keywords in Command Lines |
John Lambert (rule) |
Sigma Integrated Rule Set (GitHub) |
2741e38c5a55999659c8e2ffe6365a21db8ec070e03a5a2f78326209ada99b63 |
103 |
2 |
Windows Firewall Profile Disabled |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
489692e72dc0017d68cdd2188f43e162f46de9955dce51c32323345919b76b0e |
103 |
27 |
Potential Qakbot Rundll32 Execution |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
03f2abf64a64f57b8e66090fc2f63645b79fe633bbffa28d32e0440b03c4c0b9 |
102 |
62 |
LOLBAS wsl.exe (via cmdline) |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
55bd30964b2c80cd229425cd10828e1b7c89462547581eb0c4a907c55c87f0a6 |
101 |
0 |
Remote PowerShell Session Host Process (WinRM) |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
9c155c1f00478f6dbc65e449bb4e1ee8d14ca444d40cbb52bd6406320ff20282 |
101 |
20 |
Data Compressed - PowerShell |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
1ea6262b9839c6f8aa32af503fb227a46a6f22b4778711e1a64f62b102e43a3e |
98 |
49 |
Root Certificate Installed From Susp Locations |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
99ad87050a603d266b14f9d38b78913daa61c2b7dc6b1441427d022050ccc8b7 |
98 |
5 |
Use of TTDInject.exe |
frack113 |
Sigma Integrated Rule Set (GitHub) |
ce2c1d30a6032c8bf814508ea0142036631b7b690cff7d809dfac541ddf4c01a |
98 |
34 |
System Disk And Volume Reconnaissance Via Wmic.EXE |
Stephen Lincoln `@slincoln-aiq`(AttackIQ) |
Sigma Integrated Rule Set (GitHub) |
3b87c918c891cc71875e579ccec1db6182cc5e8577cc337cd77a54306f24aafc |
97 |
32 |
File In Suspicious Location Encoded To Base64 Via Certutil.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
01705d905ff73214a70aaa5cc788cda6fa3195220319780605c2ba2c7afdacd0 |
96 |
10 |
Deletion of Volume Shadow Copies via WMI with PowerShell |
Tim Rauch, Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
c7ad5ab5203e14414fcbfb23542125d64b7aca04b7afe48d594ecb9b7c117ec3 |
95 |
0 |
Wusa.EXE Extracting Cab Files From Suspicious Paths |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a3bdc335aeefb2b18bcd061bd2c29809fd034b8ebaf07e3dc6c94af5ff27b7f6 |
95 |
0 |
Exfiltration and Tunneling Tools Execution |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6ba70df29bf2469a0e7931226da06a144c5e9044543a14e1fae2bcd6c17f9374 |
93 |
32 |
Potential AMSI Bypass Via .NET Reflection |
Markus Neis, @Kostastsale |
Sigma Integrated Rule Set (GitHub) |
4f48e177e42323bad59a64ab7de8ad6105458dbcdbb255b095f3c17aa618478f |
93 |
3 |
Suspicious Csi.exe Usage |
Konstantin Grishchenko, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d478344c6645595e8636745bd5f3fcc68955c4777726aba466ad93f133453add |
93 |
84 |
Suspicious command execution |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
2493810bc5072dfb469437cfe4848e404b84ec5690670b79ab60bdf138d06139 |
92 |
0 |
DUNIHI Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
4e8573bf949d0f277bff56a18b256181b950262693a43cfad1d247e035aec8b5 |
91 |
3 |
HTML Help HH.EXE Suspicious Child Process |
Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
03c63f09ca0da10cdd578a2b9318266b2f2ac550da5b256d00ce4c0cbbbedda0 |
91 |
6 |
Linux Command History Tampering |
Patrick Bareiss |
Sigma Integrated Rule Set (GitHub) |
c5903ffafd80f3200d3223dd44f4e4200331a8bfef040c23fc1812186018c6b9 |
91 |
20 |
PUA - Advanced Port Scanner Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fb482f5fd709d1ae001f190ee187e694e6ae6473e73b36e57e49b6908a1544c3 |
90 |
6 |
PowerShell Module File Created |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ac9471aa53e0850fa4b5f9ae701b9d20783d5f3762aa950efee3d94d5f862283 |
89 |
57 |
ScreenSaver Registry Key Set |
Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) |
Sigma Integrated Rule Set (GitHub) |
6e68f5c105dfd23d227bb84e1d2fc8eda9de15b7826b6c74dcee7913742ea06a |
89 |
41 |
Unusual Child Process of dns.exe |
Tim Rauch, Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
1a409a5e5fee95e8f39012c0517568143fbf3ceac2b7bf87e81ab5eb50d8a6f9 |
89 |
33 |
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6a048234462e46cb2ce5b49006ff2d3e6f3a58ef583716ceaf74d911b04c1a85 |
88 |
65 |
MsiExec Web Install |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c56598b1a4dc67703e332a7df820b31b6690ea40d2352aead9f77f441f6f5b2d |
88 |
5 |
Powershell launch regsvr32 |
Joe Security |
Joe Security Rule Set (GitHub) |
59bdcb50161e15e215ceab8d779ba112cc633a8bde418fc87d450d05d5e78a78 |
87 |
9 |
New Generic Credentials Added Via Cmdkey.EXE |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b71ea6893f3e92a9d7d7ffb0de6a327a1a755b01c115465f079fa8cce81013d5 |
86 |
26 |
Add SafeBoot Keys Via Reg Utility |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d0f01e5bb13e8ce7a78203105d6c6fd359d6150767bbbfa4de80faa61bbf2099 |
84 |
38 |
Brontok Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
cc37d2c965977a035bf3e0e5adc5d1ad561e00eeecc80cde19feb01566a5fa61 |
84 |
0 |
Potential SocGholish Second Stage C2 DNS Query |
Dusty Miller |
Sigma Integrated Rule Set (GitHub) |
dc5cfaa0b6ff45a4864ee8be51bb9c91ef2f5d94c791e000efb78473258ad5ca |
84 |
23 |
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE |
Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4e8b6e96f08290c2d17de56622ea6ab96e4e69ac05b74c3f70d52ed74f859533 |
83 |
37 |
File Encoded To Base64 Via Certutil.EXE |
Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1b6510b58b9f16b947f9e665c0a3f3902f2d51f54d01596eb9545d8fd6631aa1 |
83 |
5 |
Malicious PowerShell Scripts - FileCreation |
Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein |
Sigma Integrated Rule Set (GitHub) |
a76fa0f689961152a23aa5f209a6af1314317a976fc0ce87fc515430cd043c5a |
83 |
11 |
Potential Suspicious Windows Feature Enabled |
frack113 |
Sigma Integrated Rule Set (GitHub) |
cdcec55ed90affa3868db81d308f5a76204c51b717f1cd5ba3c9feee5ce926ec |
82 |
19 |
Renamed Jusched.EXE Execution |
Markus Neis, Swisscom |
Sigma Integrated Rule Set (GitHub) |
395d81f2cea49ebe846ec75b230f6e7f8ff1541f56a65ee0ca6336a3730a5af3 |
82 |
6 |
Insensitive Subfolder Search Via Findstr.EXE |
Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fc0dfa66e10e89529136659b68704c27d9c50955795ed4bd4fb70b8ff27a2cdc |
81 |
48 |
New Root Certificate Installed Via CertMgr.EXE |
oscd.community, @redcanary, Zach Stanford @svch0st |
Sigma Integrated Rule Set (GitHub) |
7967f7ab83c7127d55911fc713e9a9bd4d66a313b85fc76a5957a7666db29e34 |
81 |
16 |
REGISTER_APP.VBS Proxy Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2d663b64fac0627c9d7a810d3e1e3c10a5321e0d9f0ff82bf3f9ade891ad15e9 |
81 |
41 |
Wusa.EXE Executed By Parent Process Located In Suspicious Location |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8a6cc2ec2dfed9361b49f2176c76b8d649124a8c438e3f14104c8ffc82685cbf |
81 |
15 |
HackTool - Covenant PowerShell Launcher |
Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
2957c0808592ab632134afd63650be8c47697a8350bb5cb19a8272b9da595777 |
80 |
3 |
HackTool - SharpView Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
fcd75941371f1c365f40d29f8498522d49065fb5ad8dc28a97b979603a6333ba |
80 |
20 |
Linux HackTool Execution |
Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure]) |
Sigma Integrated Rule Set (GitHub) |
86323a066135586878b5ad6ed6ff2638ee0808cde3808480271dfac95b04807f |
80 |
35 |
PUA - NPS Tunneling Tool Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9b4f9dd1295bf299dba100d2a75a3f7188ba51a90dda3e0bf371708f55a40507 |
80 |
0 |
Nocturnal Stealer |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
08655a77d7ea003dba35be4775284dd12a24f9469c9e93ad2d085afe3f4e91d8 |
79 |
1 |
Potential File Overwrite Via Sysinternals SDelete |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c79aec25ed8a3cf07f3a43954d8dda5823dc140075f59c4e0cae1e5a3aee8072 |
79 |
17 |
Potential Persistence Via Netsh Helper DLL |
Victor Sergeev, oscd.community |
Sigma Integrated Rule Set (GitHub) |
cfb3049a2fd55cd1ff6721dc9b502008c4449922474c40b20b8f6fab4f51ce02 |
79 |
19 |
Register New IFiltre For Persistence |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ee0912f0124b2509a7672d8c5478428150f436ec04279e2240e1b457049eae5b |
79 |
14 |
7Zip Compressing Dump Files |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2194ceadd602ef4103a4715be6673214407021d3ff227fc3c520c0b9f51d9008 |
78 |
29 |
Commands to Clear or Remove the Syslog |
Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC |
Sigma Integrated Rule Set (GitHub) |
82fe97976c538cbc804bd324c0c8e95c4df77ed62a637f5e1d33dd2d9c9b416d |
78 |
6 |
OneNote Attachment File Dropped In Suspicious Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
afd9349ba03eb1032e975c339bf0a626bd6fa3cf66270e4bac353a102c07848b |
78 |
56 |
PUA - Ngrok Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c2e9abacba241e42d67c8d6ae1523533d3cb9769cf7315d401744e4266f91ffc |
78 |
21 |
PowerShell Profile Modification |
HieuTT35, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
25ba0fd933ae7d522dfbe81f445736e4bb4015e2ab0ce76d436c139485e79e2e |
78 |
51 |
Certificate Exported Via PowerShell - ScriptBlock |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b1cd37588678d9d180fae5e3ac98088d0fb94bcf137b0f6b423ba503b9c48334 |
77 |
67 |
HackTool - KrbRelayUp Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
914dd9cda73bd6f9573dbe9e9a1fdfc390464d03b96dd1d0ac163be4f300aff1 |
77 |
0 |
Lokibot Detection Rule |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
be942c1d0e5d410fdd49ca407572405db53d2cebec6927a56b86b1bf02d58983 |
77 |
0 |
Print History File Contents |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
57c5fa03a480d2503b2cd8c6055b57b3042a03030864c8e431c7077229e32019 |
77 |
3 |
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9c7804b6bfb1ca0e93a863185af19f14432fde4b07d2ac68fb1a44032467c98a |
77 |
20 |
HackTool - Bloodhound/Sharphound Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cfc47087b4c2d98cee5d80b1383b55212d8fe298ebc880e15c894f55123fa95a |
76 |
6 |
Malicious Windows Script Components File Execution by TAEF Detection |
Agro (@agro_sev) oscd.community |
Sigma Integrated Rule Set (GitHub) |
1aed5dfd628d749d7b679eefe579532b3ff3ca46fecf65776910e7de7aaa6148 |
76 |
2 |
OS Architecture Discovery Via Grep |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
1a3577e67f806b29ef2a52975305c90e5a28597217567af774c26c0bb29a837f |
76 |
46 |
Run Whoami as SYSTEM |
Teymur Kheirkhabarov, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
6af189a96d12cb443ce812c507e6b5326d70cc43e4f8a8b179fd45d5acee44bd |
76 |
6 |
WMIC Unquoted Services Path Lookup - PowerShell |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
420c9214a5aa1f50a2a85504e221b82931637956daecbfebfda630bb7c586f60 |
75 |
29 |
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script |
Tim Rauch |
Sigma Integrated Rule Set (GitHub) |
3fad126ae93b8bb078502d36cb4e234c89c2539784bb1f8e446e615d3f54c186 |
74 |
3 |
Powershell Local Email Collection |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7a8c60222c9d0320cd13f6c3e00c4279e2961daa1560bebf35dfe8f0de4387a4 |
74 |
36 |
Testing Usage of Uncommonly Used Port |
frack113 |
Sigma Integrated Rule Set (GitHub) |
45fddb986c296e8a5cc65d9e7d93b5666adb505378e865f501b8a9946a4cc8fe |
74 |
52 |
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0caa50babf4475fc8fa04167d47d87d1e0d04294b8534c19e180e2c9dde0012e |
74 |
56 |
Windows Firewall Disabled via PowerShell |
Tim Rauch, Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
a0a3572f7e566559cfcfc8970108fc01b0ad35103e76b5359955ed4c7d4ac60e |
74 |
4 |
Commands to Clear or Remove the Syslog - Builtin |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9a49b4476704bd301f2c0b13c87316f7e92aef899ef21b8e3f6db3c943390df6 |
73 |
3 |
Renamed Msdt.EXE Execution |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
547b4f9fe578b9d949c01be391e76decb1e95b632ac54aac474eb858c0f1f5b3 |
72 |
7 |
Suspicious Process Created Via Wmic.EXE |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
97abad7c8edb5cdf286b45712f14b577d1653fa738d3d330a0473a1d48e5aac4 |
72 |
3 |
History File Deletion |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b5287b77a0f842e5d6ac8cf6125132aeeac4e8f639751744c9c256006803a919 |
71 |
16 |
NetWire |
Joe Security |
Joe Security Rule Set (GitHub) |
f1f1e749b0e91b9e079a2fb92be3e128291eda84c02064028a1d037f450f864c |
71 |
0 |
Powershell create lnk in startup |
Joe Security |
Joe Security Rule Set (GitHub) |
fd5c77e4a6ca9deb325d7525e8219d80cc70e6bbf765e2d75ab4f30f6be7cc9a |
71 |
7 |
Renamed ProcDump Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
db74c62019a53e7519a7392215062ee6be4525e5374b4191fb8eeffc81cb981f |
71 |
24 |
DarkSide Ransomware Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5c4ba608ec7db931a6491db14857b098a88caf78b2c28087f16fa4aeeb05c8d0 |
70 |
1 |
Potential Persistence Via Powershell Search Order Hijacking - Task |
pH-T (Nextron Systems), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
262548bdd551b5516ac8ba4e7c13b94c1164ea5766dc08877e95dcb2930be717 |
70 |
7 |
Potential Signing Bypass Via Windows Developer Features - Registry |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bc27e2c02d1cb4d2eba75aa1668359b5caaafc79eb2531bdbe54410d63d727f3 |
70 |
22 |
AnteFrigus Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
8b18641dc7819baf3c131b24088048e3cf6ac0f5946f136a2c0b0b36a3754141 |
69 |
10 |
Execute Scriptlet from internet Via Regsvr32 |
Joe Security |
Joe Security Rule Set (GitHub) |
1dfe86ef579952e7d83c7cab84e28986946f0660fc39224c8c471d29300a9885 |
69 |
2 |
Potential Obfuscated Ordinal Call Via Rundll32 |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7bdb12eebdabf1b207f0dbcb9c1b6b22d47d6d42e5ac4839dc0945d338faf27a |
69 |
2 |
Replace.exe Usage |
frack113 |
Sigma Integrated Rule Set (GitHub) |
067314a472e516edad2a871cb6ccc07c4490f9e36622e820cb8d7ff88b0f9fd5 |
69 |
0 |
Suspicious File Downloaded From Direct IP Via Certutil.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bba68f86faec56fff7827bdc8b4bb20cf69d80ccf8c956daadc7bd68839665ed |
69 |
3 |
Decode DLL Via Certutil |
Joe Security |
Joe Security Rule Set (GitHub) |
512a021b2a6002cdc06a23350dd7744a78311e5eacbe59b19864a594b50fc33e |
68 |
0 |
Potential EventLog File Location Tampering |
D3F7A5105 |
Sigma Integrated Rule Set (GitHub) |
69c8a912add6ff74c81727a758b844925127c8257fd99143e46ba28f67a29517 |
68 |
45 |
Suspicious File Download From File Sharing Websites |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
81df8b624648173975c91181526939696ab64698fa03b22522b81744d5cc10bf |
68 |
36 |
Disabling Security Tools |
Ömer Günal, Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
17b8565aac7819789a47a069aa7bbdb1c69f755edcfcb766c10e1d973768a357 |
67 |
3 |
Mshtml.DLL RunHTMLApplication Suspicious Usage |
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA) |
Sigma Integrated Rule Set (GitHub) |
81da16a2acd4f2ead3a5744748fade75b7d63b7ec6498731e5106bf2d48265b6 |
67 |
6 |
Scheduled Cron Task/Job - Linux |
Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
17e54e203e8a8aa2c9b914202cbafe7a371b6019f97729b83dc10a8f643dc884 |
67 |
11 |
Suspicious Execution of Sc to Delete AV Services |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7f8a2779f372784da42ba3ea542708f81eb3d3784b03ec4d156d94dbf9190887 |
67 |
4 |
bitsadmin download and execute |
Joe Security |
Joe Security Rule Set (GitHub) |
613bbc724cd17594b42667a8a5c4df0dff074adfb53a590f30f86743bc9b5b47 |
67 |
7 |
Registry Persistence Mechanisms in Recycle Bin |
frack113 |
Sigma Integrated Rule Set (GitHub) |
661375a6a064f858d66665c13895d00ce56bb356ccda48cbc40727b9b6f4e220 |
66 |
1 |
Abusable DLL Potential Sideloading From Suspicious Location |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
566d4ee50b2fbe8a5d724a630f1f5eedae86a015b59b83014a6e8612339d8523 |
65 |
7 |
CARROTBAT Malware detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
5244e0d5e7e39e2209c4a02fd25867f6008966d611f19da634de6505358c95a6 |
65 |
3 |
Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN |
Beyu Denis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3fba0f206c1c867f04a34552b850e8eeb0b219621923d394bddad4789f293152 |
65 |
55 |
Enumerate All Information With Whoami.EXE |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
746ffdc60cc4e7f5b9ace4026da8fbc6a009bb58f285f72d6c62cd9b9f2c867b |
65 |
15 |
Potential Iviewers.DLL Sideloading |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4a3ab15f0d9e71b31849c630b42e36683c5269c2ce71c8042193fc224000fd25 |
65 |
7 |
Scheduled Cron Task/Job - MacOs |
Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
572b438b19c769d86cabf9aef66e7f6d1cadfa28c31734af9cc9577e10af72b7 |
65 |
9 |
SharpRDP execution |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
31cfc7594bce0379cd087a7f0fc2e2da4a491ff6b2df31db447eac7eec8b2d22 |
65 |
14 |
Filter Driver Unloaded Via Fltmc.EXE |
Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
d00afaccf4e488d3a0607eb98f532801d652935f6a0f82e8dfe2240b90f12b5c |
64 |
43 |
Nslookup PowerShell Download Cradle - ProcessCreation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4755ccbf487b7c6fdaea8383493917837a2c86ff682d94f0f57d6b09349e0ddc |
64 |
11 |
Oxypumper and Qwertminer detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
2e9004538d0ac25abf5f74d2ab10e6804e8c5a6d78ded8ec678d1d57791fdd4d |
64 |
9 |
Potential Defense Evasion Via Right-to-Left Override |
Micah Babinski, @micahbabinski |
Sigma Integrated Rule Set (GitHub) |
8c9d950be3588ee779f57d3c33f03abbaa5ab145cac1a897bfa816cd0745a1c9 |
64 |
1 |
Suspicious PowerShell Invocations - Generic |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d0b30db49f680fc7c412d09dc2099e655eb262fd5ef5b03fb5304663ab79137a |
64 |
3 |
Vulnerable GIGABYTE Driver Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e55e3c4025c22c464d209815a3411299c407e870eab4c5aa9ef362b217babade |
64 |
1 |
Creation of a Diagcab |
frack113 |
Sigma Integrated Rule Set (GitHub) |
76466a8380202538b40850a954fbd8b6bab964c61bff3742c35d8a8e0bc582fe |
63 |
24 |
New TimeProviders Registered With Uncommon DLL Name |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4644dba35bcca22688aa47798c36c6f13bf03864da995c52366df9c473e02450 |
63 |
9 |
Office Macro File Download |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
aaba58981e0428da3913c964606d7609d2f2b2553131eb76cbc3b1fbc611008a |
63 |
61 |
PowerShell ICMP Exfiltration |
Bartlomiej Czyz @bczyz1, oscd.community |
Sigma Integrated Rule Set (GitHub) |
504cd1bcea14d3f138e4253108d6978349e99adf5984333e0d5d78865dd1a481 |
63 |
26 |
Cloudflared Tunnels Related DNS Requests |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
eb3d787705736430a92c127b22627ce5de4f5d421899962446a84013018022a9 |
62 |
17 |
DNS Query To MEGA Hosting Website |
Aaron Greetham (@beardofbinary) - NCC Group |
Sigma Integrated Rule Set (GitHub) |
8c60cfcbc7464b6af5d7b236a49a53fbfde22feb2036abbf947df7322a7343a0 |
62 |
16 |
Execute dll with txt extension from temp location |
Joe Security |
Joe Security Rule Set (GitHub) |
d8d01ff318fd81c3e8579c3f1dbc420f408beb4b67bc9be1a4bbdc759dce812a |
62 |
6 |
ShimCache Flush |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7755af8c0fe9118bb510e5bd0317a174fc59e613270dce762bbc67cac8f68d15 |
62 |
35 |
Linux Network Service Scanning Tools Execution |
Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure]) |
Sigma Integrated Rule Set (GitHub) |
e34284bbb0ad4c302ba9dd1fde4f2de41f24db62c0b7bbd57804d77d81b02119 |
61 |
47 |
Network Reconnaissance Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9d9af026eaa77db7d0e5377f50092e459940178fe0e043501343b6432f0f94d4 |
61 |
1 |
Potential Vivaldi_elf.DLL Sideloading |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
346397c1566ef1c4a5cdc5efaf829819cab3cfe203071185adb35187df0ce7fe |
61 |
61 |
Powershell XML Execute Command |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b8a4fbd826f854871ab62dc0ad49ae048575057a6293a2c8109f04b8662a8162 |
61 |
24 |
Suspicious Powercfg Execution To Change Lock Screen Timeout |
frack113 |
Sigma Integrated Rule Set (GitHub) |
82b3e64b1ffbd6e42b9c816c24dd39f029501b0a8e06e337701dfc101f978f0d |
61 |
13 |
DeviceCredentialDeployment Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
63437b0e9c5e21d2823a28f0a428ee4bad8d30ba59ddbfb9227fe13452f1aebe |
60 |
3 |
Enable Windows Remote Management |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7f8fcfb39f92617ac21dbc51e4c66b0663520cef30300bc28dd89572f6574253 |
60 |
39 |
ImagingDevices Unusual Parent/Child Processes |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
95fe2608b1dadcb60e16a7627b715b848f056f452fc93639201d185bd1c91a25 |
60 |
0 |
Removal Of AMSI Provider Registry Keys |
frack113 |
Sigma Integrated Rule Set (GitHub) |
29e103486311c7c5f253e500ab6386c2aba984cb782efe903a88f082d3f70254 |
60 |
7 |
Ryuk Ransomware Command Line Activity |
Vasiliy Burov |
Sigma Integrated Rule Set (GitHub) |
1a2c4b1ffc8f65b4edf9020cfc1b6203854d13592539752717c107cd6357489f |
60 |
4 |
Spora Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
8a1a4505f9c0ee688392c73f69566ea35c3597f51241af4cb0ddb23057c95474 |
59 |
19 |
HackTool - SafetyKatz Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e12ef0018b230868661eff7c8a74baf3f9a0ea5e0380b63b339c9218278f2057 |
58 |
0 |
NTFS Alternate Data Stream |
Sami Ruohonen |
Sigma Integrated Rule Set (GitHub) |
535b54123e1e90e346eb48779d2bdc19508f9a3aef7f7cf48bddbbd43f953478 |
58 |
34 |
Potentially Suspicious Regsvr32 HTTP/FTP Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e907309004a16bdbee14bf081959e1fdd8d3923c01d4153603226d7722c190c6 |
58 |
24 |
Suspicious UltraVNC Execution |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
a1005bb393ae9323ec95dc47f2348fea7262e1297f7d5c4e3c9b21b672fe467e |
58 |
5 |
Cmd Stream Redirection |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5f96e6b063aba9535c425e87ec855e1751d2d80c4099135c5b165fdf5bdbc5dd |
57 |
6 |
Powershell Inline Execution From A File |
frack113 |
Sigma Integrated Rule Set (GitHub) |
cbf84e925032ab806dad545cb848e4318b275d75f3a40c8cb9664e0172444779 |
57 |
19 |
Service DACL Abuse To Hide Services Via Sc.EXE |
Andreas Hunkeler (@Karneades) |
Sigma Integrated Rule Set (GitHub) |
31469fa3c8d37b7e80913d07ce5549c9371e193ac3f0d3211f519adbb2de950c |
57 |
1 |
Lazarus Activity |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
735c9c8d6f2afa0f395d670a4d21f211de96cbab610a1a63b20bcc981d975f0f |
56 |
0 |
New BITS Job Created Via PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
cfec5ce24be18b8a5b6ee565ce5bb62f0aa614ff0754094a9cb6d113b97decbe |
56 |
5 |
Recon Information for Export with PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
713f92f086b68096c3f56ca930b031275ba60fcd9b0986dca0e69d63a349fe11 |
56 |
3 |
Shedule powershell with encoded command parameter |
Joe Security |
Joe Security Rule Set (GitHub) |
915a39321a250831a95cbb6b6598214820d1be1095aee6555106a9ca7d02a36a |
55 |
0 |
Uncommon Microsoft Office Trusted Location Added |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e2890486c08a6306f0ed3294555a371fc9af6989a617f720dcd5d85002823cbf |
55 |
29 |
Windows Kernel Debugger Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bdfabe357d29db481ce92a1bf99197e1220f79336d0a6a891f56d430f607e756 |
55 |
6 |
CreateRemoteThread API and LoadLibrary |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
7b3a31059be73d0a2a66f61915b2e5a4f5a37cea4d4de5e3cc8c24f5e2a310f1 |
54 |
4 |
Portable Gpg.EXE Execution |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
37975ef2a9d7686f9cb4712638e4cb91aa474f7ff5d6d96097cf31e8ac891e00 |
54 |
7 |
Potential Download/Upload Activity Using Type Command |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
60989d33f57e8b54080cc6f5ddf172214858d74acfac7a314daabf794b9ffe4b |
54 |
4 |
Suspicious Usage Of ShellExec_RunDLL |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
583f46a94081ca6e4e09e8191f1cc5fe8a0b11239ca27da18ef2ad12a48786b7 |
54 |
0 |
Linux Shell Pipe to Shell |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
961d6ba3c55de28bad39a9ca6bc10d12d7d1180abd7f3b15244347c72b37be1c |
53 |
2 |
Post CVE-2017-5638 exploitation |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
ac7133ba82228763e38c9dece3427e679698ee3bedde0c21e00adf3e4dfa06ac |
53 |
0 |
Potential UAC Bypass Via Sdclt.EXE |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
9076ea2849a39de53427fc7d336a9132ac1d6dea68e77efa6abafebd89ee90c9 |
53 |
10 |
Rebuild Performance Counter Values Via Lodctr.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f2f0bbc1c620055ffb4b0372c73c17ad21ce521d43cd8a6d18c9d374f83932f1 |
53 |
30 |
Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE |
Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
adbbf1b1fe76c2a86e148fcc66a37c2f361f6d40ce55e510f70409c09d434ea2 |
53 |
16 |
Creation Exe for Service with Unquoted Path |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3b925709ef1196fbdf20c495c5a7972944bd56a4ab342009ef41e3f3273c15af |
52 |
0 |
File Download with Headless Browser |
Sreeman, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ab434fe480ee2a7a4567eef38af37753eb61b2fe82708db1056313a73ab0fac0 |
52 |
3 |
BackSwap Trojan detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
6cf0858071345dfa209de5be9510786314771819c7ae412dbfe82b134cb3697c |
51 |
2 |
Created Files by Microsoft Sync Center |
elhoim |
Sigma Integrated Rule Set (GitHub) |
90e6abcfde9453786cbe5eb7bd26a659703b1abfdec9d9441778c362dd6be63c |
51 |
0 |
DllUnregisterServer Function Call Via Msiexec.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2e95aeac423a48e1ef8f7275c2f49a8fe3fe9a7e83b9db9f856d1f2d3edb1a10 |
51 |
14 |
File Deleted Via Sysinternals SDelete |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
13320004e8b7f532ff0dcbcc7a564fd60fa782490cdaf6e553e89088ded28e41 |
51 |
5 |
Potential Persistence Via Microsoft Office Add-In |
NVISO |
Sigma Integrated Rule Set (GitHub) |
87bbef1292c33b8d07238254d96faa4edbe7d7b241c05444918849684077237e |
51 |
10 |
PowerShell as a Service in Registry |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
edeb7efda75eef0c30275df1148d63a2707963d2d9735d444a56536df2161a9e |
51 |
1 |
Socelars Malware (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
3b19facf348c1fe8db660733298928cb749e5dafe84ca3025f86b31129352e51 |
51 |
0 |
Uncommon Extension In Keyboard Layout IME File Registry Value |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
17a95e740c3d081eefeec61bf1fd312a2276a380be6923c632ed7d8660285301 |
51 |
0 |
Suspicious Curl Change User Agents - Linux |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
85e2c3c8bd260f8a67a582a43493b73662159bf74036dcc05b8952c84be8bc2a |
50 |
41 |
Suspicious Execution of InstallUtil Without Log |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f87a49b6d1417f2f418f84c8a8b3d23964133dc7c1b7e18b02a1d2b8deaba8a0 |
50 |
19 |
HackTool - SharpUp PrivEsc Tool Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b9df87571912714cc7a36f7a1ca3fdd9625d8ccc37a12862bdb202fba7c22869 |
49 |
3 |
MacOS Network Service Scanning |
Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4fff924a8370247252e1b93169b91f3d7ed7d41b98603cfd2b8ce78153c97dd3 |
49 |
37 |
Suspicious Environment Variable Has Been Registered |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b699c275e510eda7cf1e9f4fdb0a9e8e780d9e307b37d98aa4524c6975b9847a |
49 |
9 |
Suspicious Where Execution |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
46ae66dd22967fe384fb2758be37ee4bc4eb6756891eb9d7ebb29342e2dd03d1 |
49 |
33 |
HackTool - CreateMiniDump Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8618cac2c2c1ec1d0e5b729eab2f28a1585a023728c5aaa9fa184b786b52a337 |
48 |
44 |
Hacktool Execution - PE Metadata |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8b5d84914e5e7715fc7effca7b1d2ad513d7fee3b5afb0e324a42c2d3103cd49 |
47 |
0 |
Potential Attachment Manager Settings Attachments Tamper |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ab75582abe82ab90071a874b2fc815cf2027c5505ce7f0b149210f67dd27dfbd |
47 |
3 |
Potential Persistence Via Microsoft Compatibility Appraiser |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
9fc475ae448749ce7b6c7760c27eaa960cebb3e61dd32ccdd1ffa55dc831eff2 |
47 |
21 |
Potential Ransomware Activity Using LegalNotice Message |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7c1a95ef0474a975a04b961bfb754a69cb4d482b12e33fc8194798229f828125 |
47 |
0 |
PowerShell Script Change Permission Via Set-Acl |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4dda7280ec76865e53f8a5b9094b4f45af5182eae613d2d336f0bbbc028a76b0 |
47 |
6 |
Powershell drops NetSupport RAT client |
Joe Security |
Joe Security Rule Set (GitHub) |
fff7f3f069862bd6d4a1202e842c62ff93c981b9fefe582ca76320826999ff81 |
47 |
0 |
Registry Dump of SAM Creds and Secrets |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3e6aec9c264981c1c738cf2bb29a907f7fc01867b91cf31a6d4ba46d35129230 |
47 |
10 |
Suspicious File Encoded To Base64 Via Certutil.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
aa7741239d7d626a6e7b92ca2405578c580c500eef1489d3115aef2b00b667d1 |
47 |
16 |
Tamper With Sophos AV Registry Keys |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e959b2b5eb8766c7e43ff42c19d740cc07c317b6e149c3d8a8901fb6440f5af8 |
47 |
39 |
Access to Browser Login Data |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d3129d20de2d7890e0b90366b7a86a16ce9ca2c330c67005b72bfbd4105aa6d8 |
46 |
15 |
Potential Goofy Guineapig GoolgeUpdate Process Anomaly |
X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3de373579cf42d786c41c5e8a743ccfd4b7b5dc392778d033e34cb2284045399 |
46 |
0 |
User Has Been Deleted Via Userdel |
Tuan Le (NCSGroup) |
Sigma Integrated Rule Set (GitHub) |
841f0c710bf05773a21dbfe0cad9bb0d7a04273cb01c06da89b03b588376c12c |
46 |
9 |
Suspicious CodePage Switch Via CHCP |
Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
843024550fd9239f814fd3dcd7f1f768fe7316501173bb485e673bdb9abf1d63 |
45 |
9 |
UAC Bypass Tools Using ComputerDefaults |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f0a2a0d6b300aa9b5100a3fcd8fda2e183d4c22f4c748ebf056b724965c77639 |
45 |
0 |
CodeIntegrity - Unsigned Kernel Module Loaded |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
647cd15325a4886379855a1ac10656200efc53f23b4acdaedb38599f61f8edaf |
44 |
20 |
ConvertTo-SecureString Cmdlet Usage Via CommandLine |
Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
d44e437dafc368f03a2c93e0239ddf8a89f25343b0747774d67a1b84e48eca09 |
44 |
5 |
Deleted Data Overwritten Via Cipher.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d3e54936275abafa46d4b77891ec8f7fe6dd55d420fec613476144dd5d26f1a7 |
44 |
4 |
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell |
Daniel Bohannon (@Mandiant/@FireEye), oscd.community |
Sigma Integrated Rule Set (GitHub) |
30c408d940a17c92bda9a7a3661343cb4849cb5206311af462dfa18993f9f0c7 |
44 |
0 |
Obfuscated IP Via CLI |
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f9580d1ddc8753d3db3625ce853e150314b148df4d5279a69d3781cc031996c9 |
44 |
2 |
Remote Access Tool - AnyDesk Silent Installation |
Ján Trenčanský |
Sigma Integrated Rule Set (GitHub) |
8c68ebe0db23e4f70c3621d56e4ce298dcf255e61288342e6b4760dd0af96c85 |
44 |
5 |
Remote Access Tool - ScreenConnect Temporary File |
Ali Alwashali |
Sigma Integrated Rule Set (GitHub) |
89e2039b23d63fdecc8053691737fa87fe9a15765e0720e5fd3f99847b67fd93 |
44 |
0 |
Renamed PsExec Service Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
80d7ce564675dedfdbf8c13540cced6343bb1708c20306349a108b369920509a |
44 |
3 |
Use of FSharp Interpreters |
Christopher Peacock @SecurePeacock, SCYTHE @scythe_io |
Sigma Integrated Rule Set (GitHub) |
ab87de6df917b48304e512d979d27ae1a0c4b3b63106217afe10aa1059195e7e |
44 |
18 |
Credentials In Files |
Igor Fits, Mikhail Larin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
bb9fce766014ab2fb22106410384571f0217fa35e9914bdc3dd86452d8d4ed64 |
43 |
20 |
Linux Base64 Encoded Pipe to Shell |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c1f964672685d4a8074a0afd7ede2d3d945dd73712ba41714baef2affeb3f567 |
43 |
0 |
Monitoring For Persistence Via BITS |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
f9b2dcdba235a40678fcd4411540f98adc4caca054a247054eba6b040b37243e |
43 |
5 |
Potential Regsvr32 Commandline Flag Anomaly |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0febc469c613c6ae3155a46fb291f1ebf74d38c09b1dbb5478c2f9f36af7b599 |
43 |
14 |
Sdclt Child Processes |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
440b98d4bf30e3c39e7c17aa21aaa561647a4230e418cf901961b1604e27877c |
43 |
9 |
PowerShell Called from an Executable Version Mismatch |
Sean Metcalf (source), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ed7108b00b6a517dcbcd529d98b8c8e1ed551160e89bbf03699b6fe2e3b49fc2 |
42 |
5 |
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3ac562f761dce56ddce1ba6581aace41ae7b64cf2b9fd64295b4d9d43c26aa21 |
41 |
10 |
Creation Of A Local User Account |
Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
de6224d573389a0f865f0a33bd9bc3784cd12bf697150f8f8e0a9708a4e00199 |
41 |
41 |
Dupzom Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
68250cc49ef2301bbd3bc5104579a2f065206211acccf6978a71097bddd98d6d |
41 |
0 |
PUA - Nmap/Zenmap Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4225d7662d0eec6d20893e2e9f75328a37cc7a24ba7f1932e3c993cf482e46d5 |
41 |
18 |
Potential Credential Dumping Attempt Via PowerShell |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
860b2c5aa11877dcc332abdbcb448878b95f010531b81f04afb77fd2c7aaf9ab |
41 |
7 |
Potential Process Injection Via Msra.EXE |
Alexander McDonald |
Sigma Integrated Rule Set (GitHub) |
973e933a4e2394093f5cce603e5ffadbcf35df2afd29c4dc0e1a002e06d9b58b |
41 |
0 |
Default RDP Port Changed to Non Standard Port |
frack113 |
Sigma Integrated Rule Set (GitHub) |
dc0c536bf76ee17ec594024c9b331e97f259d945e0c52ca0f468b6d323906d8b |
40 |
4 |
Suspicious Scripting in a WMI Consumer |
Florian Roth (Nextron Systems), Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
aa9824d65395eec625b665851ca4456503a8111e058eab9487c34500b30ee31f |
40 |
0 |
HackTool - Inveigh Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2bfe4c7c4dfa23e7dbcb187f2cbe57e783da76cc66114dacec73520935d9bf78 |
39 |
2 |
VMToolsd Suspicious Child Process |
bohops, Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
bd7b9679a8b4de81c85050399fe9679a23a1ea3bb48ef31509d208152db750f4 |
39 |
1 |
DNS Query To Ufile.io |
yatinwad, TheDFIRReport |
Sigma Integrated Rule Set (GitHub) |
948e697920a298ec6250c9c3157174bb53f162acfe6435ef673ac34c61021f2c |
38 |
9 |
Disable-WindowsOptionalFeature Command PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3becb58829ad8f8f58a8716e0deb90627269a650475809ba1704d3facae71a69 |
38 |
16 |
Glupteba malware detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
bdf42e1363c4a10d6bcc355bf1a7fd1cb54d15737372cbd542de0642fb26eb5b |
38 |
0 |
MMC Spawning Windows Shell |
Karneades, Swisscom CSIRT |
Sigma Integrated Rule Set (GitHub) |
db1e0cf723dcd4169ac8bc1fb3f0679715ccb323d3a3e42e23cc811efa0d9e98 |
38 |
1 |
Potential SMB Relay Attack Tool Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d702a3f44f93b4f3f9c5cd7b73d3901b2db7d1b3db3e051b5135849e3f812ecb |
38 |
0 |
Regsvr32 DLL Execution With Suspicious File Extension |
Florian Roth (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
f64c98dfb55189f8f65b8dc8c77a020a4c869933083e1b3ef087e4dba264e864 |
38 |
6 |
Remote Access Tool - AnyDesk Piped Password Via CLI |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6e0d326cf1248be3c35ad4a980fd0b6fd00f190e2b6bac28494062e11f1d9db1 |
38 |
1 |
Remove Account From Domain Admin Group |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2b323eb1de293c4dbf91041f23c3507c4aaf71c4bc36b04ccb8fc5731995a398 |
38 |
17 |
ScreenConnect Temporary Installation Artefact |
frack113 |
Sigma Integrated Rule Set (GitHub) |
cbf91c8dea063cd256525b4053b25b4afe0528021d02d0b0d380321ebc5c9a7b |
38 |
3 |
Sysinternals PsSuspend Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a5499c523df320d4d17393e8439d7a17bdbe13b398428715aa85f865a9ac040e |
37 |
5 |
Unmount Share Via Net.EXE |
oscd.community, @redcanary, Zach Stanford @svch0st |
Sigma Integrated Rule Set (GitHub) |
407e4bde1473325159e680d149f0f254239a0a299c46a43635758710d7592f65 |
37 |
6 |
Adwind RAT / JRAT File Artifact |
Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a7648695383d3c54094a9a623178342f9965ac5977fdf3c70016e06b5d12fbdb |
36 |
1 |
Changing Existing Service ImagePath Value Via Reg.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3a4567bd735e7ae20a9b3bf3921ad6e9acdec3b957cdbdb4eebfd6feed5670d3 |
36 |
17 |
CrackMapExec File Indicators |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
254c83f0491d9e699fbdf23d06bc63ef62e908d45901cb872d0268ad51aa0543 |
36 |
6 |
Drovorub Malware Detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
00861734ad4b4865c4fd337b091aace8388feda059f681fa1a0d0a6659b55d31 |
36 |
11 |
File Creation In Suspicious Directory By Msdt.EXE |
Vadim Varganov, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
43c5a24c90e796a35f043d1ffc474c71db1b33cbb25ae045be1efab7477bc486 |
36 |
5 |
Microsoft Workflow Compiler Execution |
Nik Seetharaman, frack113 |
Sigma Integrated Rule Set (GitHub) |
360867571c752aa9ec6da95a6c3db7a37dda60e6627df594f31f89692b8063d0 |
36 |
7 |
Named Pipe Created Via Mkfifo |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
77f498d597306f31d012acd8f1cacd8b91b660138f6b7da5223d25351be26d4c |
36 |
28 |
PUA - DefenderCheck Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d29242190c6dffd993895588fbb9a2918a3e0e636e3cd6560339d9ae469f3bdf |
36 |
1 |
Potential Persistence Via PlistBuddy |
Sohan G (D4rkCiph3r) |
Sigma Integrated Rule Set (GitHub) |
0850dc4a94c84042d7171de3546d552afc54d9d8acb5e48096ff4ddb12b7691f |
36 |
1 |
Remote CHM File Download/Execution Via HH.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5544bfe63d743fba858c3a75c7dd46a76520367a1278b1fe3d5c5609dc42fc4a |
36 |
29 |
Suspicious Rundll32 Script in CommandLine |
frack113, Zaw Min Htun (ZETA) |
Sigma Integrated Rule Set (GitHub) |
ee7fc4aa3dcf06ddc37a9dc24c2fe5a2d394cc53d560d2214a8f5455eedb6291 |
36 |
0 |
UAC Bypass via Sdclt |
Omer Yampel, Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9e30ed5d0167ae542ae090b30e0049496a63c5c9c63bb37e80d62532640cfc6b |
36 |
0 |
DLL Load By System Process From Suspicious Locations |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a341c10327c4d8c5407ea5b704ad11932a391174e37332792a2b456adf4ee9b8 |
35 |
0 |
Pikabot Fake DLL Extension Execution Via Rundll32.EXE |
Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1d2e7f69856c6eba054ab2d9b33d6e18e37f32395e2ec959833d093e0f329e64 |
35 |
7 |
Potentially Suspicious WebDAV LNK Execution |
Micah Babinski |
Sigma Integrated Rule Set (GitHub) |
6e4a67b9f486826d18a1ce99c8aee3a5716e826b350437dd6d7b2382e9e6e61a |
35 |
0 |
PowerShell Logging Disabled Via Registry Key Tampering |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e08c8016940ec5fbedc1d8b08fff3fb1c6bdf197e8fea3c4fbceaa55058f07a3 |
35 |
3 |
Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale |
Sigma Integrated Rule Set (GitHub) |
d5b76fa3cab42361e745d7a1c59d40820a1cab108d30fd2d9fef6c3aade085b4 |
35 |
3 |
Suspicious Mstsc.EXE Execution With Local RDP File |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
205a65cd894184e7d2a59da78310f8cb3262995f30c3015a05293c7754e5916c |
35 |
5 |
Suspicious Nohup Execution |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
d30303a3345f6a0b7f9c34a75b5a00dd959e4955da823dbe1207107eb2753920 |
35 |
10 |
Potential Unquoted Service Path Reconnaissance Via Wmic.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
af6fba732192700a3e6067cd1013a488ce707b800e7633a9a7aa67b66fd57ec2 |
34 |
4 |
Sage Ransomware (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
71d449cc65c29ab2e4fee214298f208b87225361a0f65f0f2e73bfd7875b1ef7 |
34 |
0 |
Script Event Consumer Spawning Process |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
99d3f28b790cc9edbf77b5fddd446d2ec05f85ee550310a2a3863e3171a9bd54 |
34 |
0 |
Unusual File Download from Direct IP Address |
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a2b6862e0b28e1527a68e771f4a09cc77cc168e10e6c8d978df736c414320a01 |
34 |
7 |
Wdigest Enable UseLogonCredential |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
549fd181a20cb87efd19fddc858140d8495cd434cc6a9b662dcc7d8bb35804ae |
34 |
1 |
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1bccdc208f191ae10d0fa42675f08a37e14e4f39ff07da3fc0c15510993f6e9c |
33 |
17 |
Bypass UAC Using SilentCleanup Task |
frack113, Nextron Systems |
Sigma Integrated Rule Set (GitHub) |
09bd87cd156913fd5b64ab548f700258c49833a235b205c8494f05634670d8d9 |
33 |
3 |
HackTool - Generic Process Access |
Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
d75877001c4c1624b11d25475f47d8be26299f4d7b63b5f142efab818fb42372 |
33 |
0 |
PUA- IOX Tunneling Tool Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
df765eaa567c547d6a5b1ade1739bfcb54c5c9a76cabb60de34451560bdaf198 |
33 |
0 |
Suspicious Cobalt Strike DNS Beaconing - Sysmon |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b55c667fef3a16ff308f801e44896c36f9754c98321c12bc516a13477130f4fd |
33 |
0 |
Binary Padding - MacOS |
Igor Fits, Mikhail Larin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
02cb79a02d071bcc40631d144c5a778d3326e0d2226089538e755f27dfac2048 |
32 |
28 |
Credentials from Password Stores - Keychain |
Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0a2ce7410c4271e6c41926b4fe0f5903a05d4a02cd8dcd4a273e86065b3f46b6 |
32 |
31 |
Frat Trojan (Loader detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
ba827fe25e86d6bf964385767d27442482e273923ce0185d7c335239fda7a2b2 |
32 |
0 |
HackTool - Htran/NATBypass Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
becb1782f61cc6f06558e9bdda4cbc531606bfb0b4b92c0667d6dbde99a67b77 |
32 |
1 |
Linux Remote System Discovery |
Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b76b38e7cf87e1b2f37b568047e66cfd972f62fbfdebc15ecff4adb21293b524 |
32 |
27 |
Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
6b5efce8659d3a3b0a47725b973669cf5b071a5a685525042188d1670c7b2d82 |
32 |
4 |
PoetRAT detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
8d515240682e798faa78be0b976770c35f93bbf484d6a3876b1f640670a5aaee |
32 |
1 |
SQLite Chromium Profile Data DB Access |
TropChaud |
Sigma Integrated Rule Set (GitHub) |
bfe106c088dbc3f0a1e36442a1cffcf01752c0edc0253863c36640731be1e240 |
32 |
0 |
Windows Credential Manager Access via VaultCmd |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3444e8af7fe049353761c697d9c300841002cb9979f0754558abb2baaa8c915f |
32 |
2 |
CobaltStrike Load by Rundll32 |
Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
a92c2c006c3ed7f60668afcb77342db1049d166af7ab991eb0d6cd8c3e2b2a59 |
31 |
1 |
Disable Windows Security Center Notifications |
frack113 |
Sigma Integrated Rule Set (GitHub) |
bdccaff58cca68f197ac8f69e4b633c0bb114e3868020f4970296aa9e2866485 |
31 |
4 |
Enumeration for Credentials in Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
cf1e24c4e4b805857977d873b41de8cf08d618fa56ffb27ece5e9b41e84807d6 |
31 |
15 |
Linux Package Uninstall |
Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5e489648e7cddbfb6f319308353866e71f83fcd5e3663e83ecf5f6f7f01383bd |
31 |
29 |
Potential PSFactoryBuffer COM Hijacking |
BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
37782d04601239241ebe09601b69caf3da92679e05edb94dcf699346e06be653 |
31 |
9 |
Suspicious GetTypeFromCLSID ShellExecute |
frack113 |
Sigma Integrated Rule Set (GitHub) |
88dfd5a01f282c28ca7996397793be5f0d467366ce982def90143e1503ce84ad |
31 |
0 |
VjW0rm |
Joe Security |
Joe Security Rule Set (GitHub) |
df4c3314c54ac26310706f85324f7952f1a6f38db2953516f58f8f43d67918bb |
31 |
0 |
Fireball Archer Install |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
82119a59aede1b373e13f532ace644de8571caff9f04869378270de5b5881bc6 |
30 |
0 |
HackTool - Impacket Tools Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bcdf3f22e3474c8f1ea65e450422f64bc2fb74de766f420de7cd57827679d7f7 |
30 |
3 |
Hide Schedule Task Via Index Value Tamper |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c330740ff90c619e583a655e80d545f5ee7c435e58ee3bc2365a0eba1deaf010 |
30 |
6 |
Indirect Inline Command Execution Via Bash.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
dfbb51364e0deb6fd01f82a709f96be117d3f57ab06c8ac5718d944050856808 |
30 |
15 |
Qakbot Rundll32 Fake DLL Extension Execution |
X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b67830e1ab8ef95eab597f2514e4e830d57cd5b3070020fe62fb7a33c5c9a514 |
30 |
3 |
Sakula RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
dacddd5435eda2fc54dcf6d585d0e82a0379e27c838a82bebc8ec9f0c0ac9921 |
30 |
0 |
Suspicious File Characteristics Due to Missing Fields |
Markus Neis, Sander Wiebing |
Sigma Integrated Rule Set (GitHub) |
608e0e17d25bcba31de608552a073a6677d4f626ab55bce353a686eda3f60bcc |
30 |
1 |
Suspicious Greedy Compression Using Rar.EXE |
X__Junior (Nextron Systems), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
94e8734168825ab4d47d1adb94a7a1c9bee8ff96dd059cc958d572d0ce091258 |
30 |
0 |
CodePage Modification Via MODE.COM To Russian Language |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
d24e5c8054aafd6a688f580d314146106d7ba097d4f9bb630c6ca4f260c4f712 |
29 |
0 |
Container Residence Discovery Via Proc Virtual FS |
Seth Hanford |
Sigma Integrated Rule Set (GitHub) |
442971bed1da8160e4493d1cbb6e206863e44b4d3bc071439930f75b57155168 |
29 |
26 |
Hiloti Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
f8a63428721bcc8ad6de541a48e0a1f21d8e73a4f114603bcb7e9066042c502c |
29 |
20 |
Netsh Helper DLL |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
67f08eeb3f74c7dcf4b8985150f3df56b390aec0e1d3edb45a75c360f73c0134 |
29 |
23 |
PsExec Tool Execution |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
91a0bf780670902c97c569d46226158bdd49738004799b58cd63cc4c9d63ea55 |
29 |
1 |
Hidden User Creation |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
809fde43d8c51148345ce94401363b56daa369da6e6bdb766f26a3a3af847f65 |
28 |
28 |
Mavinject Inject DLL Into Running Process |
frack113, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
22a0144a5fa16f342a409df0a0b3ea1292a72b8e43c7c844bf06d68f5330fbf4 |
28 |
10 |
Suspicious Service Path Modification |
Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8583e6aef0800332fe3fd71771daa3901bacd1a4e3b8ae12333da5f445913332 |
28 |
5 |
Inveigh Execution Artefacts |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
04a3ff78807e08f6f792e8645f0d500d0b8ee72ef7ccf43d29295bda7cfa1c51 |
27 |
0 |
Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy |
frack113 |
Sigma Integrated Rule Set (GitHub) |
59b625af50fa92cc05953cfdf68d6c931bb58a09a058e54757d152acfce5923c |
27 |
19 |
Potential PowerShell Execution Via DLL |
Markus Neis, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5980c0048e6d0468659094b73e0c348afcf2c52a7842e03089c1279a023c70c9 |
27 |
13 |
Renamed FTP.EXE Execution |
Victor Sergeev, oscd.community |
Sigma Integrated Rule Set (GitHub) |
1b0331796dea16652e2a96f7864c155f7ff236142499897fcba7142c8eb1a007 |
27 |
4 |
Scheduled Task Executing Encoded Payload from Registry |
pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5e1d76eef43af47ab79dcfbdbb15919232ca5646aef7cc201d8aa1191b2d67f4 |
27 |
0 |
Successful Overpass the Hash Attempt |
Roberto Rodriguez (source), Dominik Schaudel (rule) |
Sigma Integrated Rule Set (GitHub) |
e0a74a014c641b36f56f6bab87d33f003162f1e4a4e97882d055aa0c2fbc4064 |
27 |
1 |
Delete Volume Shadow Copies via WMI with PowerShell - PS Script |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7435e1880cdd78f155ad539eaf8348f3ea0d6fa1183fac382443553cac2159be |
26 |
1 |
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2abd81b6396ea687490b2d703ce07c1abd135ba398d89ab839c66e6a43f713f0 |
26 |
12 |
Potential Keylogger Activity |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6e703d50e111ee23983e8b6aa4d4451e1e59158b2bb8bd0c0a7bbe38c708c4e3 |
26 |
4 |
Potential PsExec Remote Execution |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
534500853b096a12173d832563555b71c1116d432b7dabba079946461ef7e617 |
26 |
2 |
Powershell Keylogging |
frack113 |
Sigma Integrated Rule Set (GitHub) |
ed239970ee8d5e197f594aacc2fd6f6f6d3dae189b2b2aaea8c2f5d100939e42 |
26 |
10 |
Sdiagnhost Calling Suspicious Child Process |
Nextron Systems |
Sigma Integrated Rule Set (GitHub) |
4254515e2214920c73b9dc8a7c9f084744461c248ca9e42ffb9e113d325a2615 |
26 |
0 |
Suspicious Dropbox API Usage |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fe21430fab5862ef48455258a0cfede5d05b0a4f20d0d459862c92c7b18903cd |
26 |
5 |
Suspicious WMIC Execution Via Office Process |
Vadim Khrykov, Cyb3rEng |
Sigma Integrated Rule Set (GitHub) |
651f584b690a75e06a7e634cec7a11b17555debdbfffe3f765a988b80ffeacbf |
26 |
0 |
WMI Persistence - Script Event Consumer |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
3b638ebc248d5ac99c1adb404e0b5f4adc3784b9af6f02b296381a950e9e8fdf |
26 |
0 |
Dump Credentials from Windows Credential Manager With PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5058b79d96d2165425d539e148ae3fe578dfa62b75b71f82ca2bd6bc347be4d5 |
25 |
5 |
MacOS Emond Launch Daemon |
Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
839422d12551f797abb514fc052bfc852f3811d1b983090ecd6b6cf2f22d8ed9 |
25 |
0 |
Malicious Driver Load |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
eb9cde748691b89900d3912132c7152f33c227584d841ece03cb44a1db24b597 |
25 |
0 |
Potential SmadHook.DLL Sideloading |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f1ba900adfa240d28790516f5652210eac67fe14d06909d4a23dc7da3e2351d9 |
25 |
0 |
Potentially Suspicious Regsvr32 HTTP IP Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bb39752a4e439774cfd5a035f61c530f6c75b6d694b088178e6c155f78f5563d |
25 |
1 |
Removal Of Index Value to Hide Schedule Task - Registry |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
23fe3e0423af9fe044d336e0f9a8fd2bc07e40d06ee7e394c6c7fd1bd44273ca |
25 |
4 |
Suspicious PowerShell Invocations - Generic - PowerShell Module |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3f1f1d4b840f1276832b328fab68511c28f6b7918e887279b03e6ea4735bef7d |
25 |
1 |
VBScript Payload Stored in Registry |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dc67cd797236fcf12f7a5e58c0d5fc50318e74f58c9d17e6bf7905e87c5a9c21 |
25 |
14 |
DLL Loaded From Suspicious Location Via Cmspt.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7fde3c5ae3c028a596ad8a76eb1a4b7ab0f64f939f847ef0f25f723659fbae8a |
24 |
0 |
Delete Important Scheduled Task |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4b6a191a02d514b34f125957168469a325b2720a4b3592aab7d5528aa5afad64 |
24 |
10 |
Delete Volume Shadow Copies Via WMI With PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
57a9202655d8133d3a5eb0a9d51c9f5dedb6b15cfc700005f6f0d686df4f2ba2 |
24 |
0 |
Office Applications Spawning Wmi Cli Alternate |
Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) |
Sigma Integrated Rule Set (GitHub) |
4e7dcf0bdb7133795dc5f59a3dce3f19d7a78ad417e3b41e7dea915b76bdfd5d |
24 |
0 |
Potential CommandLine Path Traversal Via Cmd.EXE |
xknow @xknow_infosec, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
66a17168752e700a1b57242bfc6b9a345959b5142a99316865e1d44df709c32f |
24 |
12 |
Suspicious Unsigned Thor Scanner Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
845ad09a7d56e7163ba8162af3cd6b1ecb26b7cc95443795b162eceb8659f992 |
24 |
0 |
Uncommon Child Process Spawned By Odbcconf.EXE |
Harjot Singh @cyb3rjy0t |
Sigma Integrated Rule Set (GitHub) |
7e8cf2aa9c53d27e74ec5d758c244e7939c04f5252650030b441077572cfcbe2 |
24 |
0 |
HackTool - LocalPotato Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3830810896e4e4a4cb02898a844b8488dd8240175e569b96a950d8ae6bcb9c88 |
23 |
0 |
Powershell MsXml COM Object |
frack113, MatilJ |
Sigma Integrated Rule Set (GitHub) |
38c7f03136a955c75f92f48bde1f9544a6d996418d05fae60f1efc916f0ea88a |
23 |
3 |
Privilege Escalation via Named Pipe Impersonation |
Tim Rauch, Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
109e6e5533daa3625414a7f58f6a8b34392f3050c582146cfe13876cc85fd9df |
23 |
1 |
Use of VisualUiaVerifyNative.exe |
Christopher Peacock @SecurePeacock, SCYTHE @scythe_io |
Sigma Integrated Rule Set (GitHub) |
c2fb9169c48cfbf7abc02540d8fc5c9d887473aed872aed30dbd4f8a9ead5a5b |
23 |
8 |
HackTool - PowerTool Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
24223dcd765ae37fd40f3af1054e55119422246e8933dc29b1debbd1cfc67d00 |
22 |
2 |
Microsoft Office Protected View Disabled |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6d5a609a6b004ff13f827d2c892bfdf14add4eea1de46a0f4d8911bf8f4f7bb5 |
22 |
2 |
Potential RoboForm.DLL Sideloading |
X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
abaa40290a66ddc6c6b30a8e4d86fb5d86e943057cc9bd8c4e412056329325d1 |
22 |
17 |
Powershell launch wmic via class |
Joe Security |
Joe Security Rule Set (GitHub) |
1f85dfeaa80a160e0d553a3ac8d1d5139a7622d4d146c43f52eedbe005757ba7 |
22 |
0 |
Removal Of SD Value to Hide Schedule Task - Registry |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
b6b61a17f356fe2363775995997e1051f0931f70e7446ddf4e165f27cc717622 |
22 |
0 |
Suspicious ScreenSave Change by Reg.exe |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a87fe4afa527fd01cbb17ee26918bbf87dacf9b429f97ede32b8831532ec4d59 |
22 |
3 |
Suspicious Sigverif Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
56643225c1e622a648289fb75934bcf15ac76a8bdb22a911e9f06d61e7db7077 |
22 |
0 |
Taskmgr as LOCAL_SYSTEM |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1d1e002f037bffd9b91901474efbd1036622a788849898b81570d37d3ba34513 |
22 |
0 |
UAC Bypass Using IDiagnostic Profile - File |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
31d928b4b0adc82d81a6490585e87953d808c285ed5d3b25bbe1a461234e37f6 |
22 |
0 |
Use of Scriptrunner.exe |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ee66b627cde43649f28de57c23b192a559378134d0f4b90b60b77109c8490d7a |
22 |
0 |
WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
81314be6adb2ae8f1bd104c4f35d68c8ff62ddfea655e64c5b1c92082b72d5ae |
22 |
0 |
Winword Drops Script In Startup |
Joe Security |
Joe Security Rule Set (GitHub) |
04a0af687c3b9094f9252dc38ead308fae7facf86cb7e4bf728075c9b17ed9dc |
22 |
0 |
DNS Query to External Service Interaction Domains |
Florian Roth (Nextron Systems), Matt Kelly (list of domains) |
Sigma Integrated Rule Set (GitHub) |
9cd7d0464b2ec471865497eaad8a6c4d1a73db7c60ab90f17e39cd455bb7c847 |
21 |
5 |
Execute Script with spoofed extension |
Joe Security |
Joe Security Rule Set (GitHub) |
206390e3b1deba575d9f4b3f8321fd015223f5177a8f486a56f6d74cd51afab4 |
21 |
0 |
New or Renamed User Account with '$' Character |
Ilyas Ochkov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6c5cfe607309f4bc96c1644752af6a875fd27ea6910ddff26e40a4ae64a26e05 |
21 |
1 |
Potentially Suspicious Named Pipe Created Via Mkfifo |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e0cf499ab24f3368c176a6b60e38d07e517a3bb7d26f12ed0da003e47fb50b80 |
21 |
14 |
PowerShell Get Clipboard |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
524490479b353ff8d877b617014d2cbb9a65d782e87caae21e923760fd2ed255 |
21 |
1 |
PowerShell ShellCode |
David Ledbetter (shellcode), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a8f93a6a21c54d549a6d042e48c067948add81f96231c70f83cdfa345b1f6cb3 |
21 |
0 |
Renamed SysInternals DebugView Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1de55c288a6fd75ce590378bcc3b9bf02a66b8d45de5928d17d08339f5182586 |
21 |
1 |
Suspicious Get Local Groups Information |
frack113 |
Sigma Integrated Rule Set (GitHub) |
098feee88c8a66070a3ec1f3c56be0ede46676cee2b799ba6d309360ce563ba7 |
21 |
11 |
Suspicious Remote Logon with Explicit Credentials |
oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
3f8d6ccb4e7555cba08aa888810b970a1a0a1f79d2a65b51f323b466542ae099 |
21 |
5 |
UAC Bypass WSReset |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
03fc63d53dd6f6eeb7fef5848db2e4cd11fc7177c187c398320bb3934b751d87 |
21 |
10 |
Vulnerable Lenovo Driver Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b05e5f1c810aad917ec95aa917177c7a3075f44d37d2ed2b21e953dc69c99eae |
21 |
0 |
WMI Execution Via Office Process |
Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) |
Sigma Integrated Rule Set (GitHub) |
58a51088691ea6b0bb320e61f961a96216f54913353095e97a5b5c6e94ce74fa |
21 |
0 |
WMI Persistence - Command Line Event Consumer |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
2d6a5c8b5ff6663f305abc5b7d611b99089e2cf4ad71b0b3f9a89d8d05d71a89 |
21 |
0 |
WMI Persistence - Script Event Consumer File Write |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
f4ab9cd44db2481795fe0edd858471bda0d0b73d8e406124bf76a2a074ac5360 |
21 |
0 |
Arbitrary File Download Via Squirrel.EXE |
Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
c19e1a6a54ccf6c55fb5923bbc85abd4addae819675e8e4958d9e83689e50c81 |
20 |
19 |
HackTool - Certipy Execution |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
08313c93f25fcc42ac92fbc76a4534fa917a58a2272262a4f567000b39ad92ea |
20 |
16 |
Hidden Local User Creation |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
084f8f629ce19b2d68d7e27615e59a3ebea0e92f94d25fffcdf6981152cf5efe |
20 |
1 |
PUA - 3Proxy Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b64369f53ef70c3d7e1d585af2907c0131463758488f404288df85bbb2891ee7 |
20 |
0 |
Potential SAM Database Dump |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
80a403e95306ff656dab00a85d9565922c30f10b9cceccba105e76eedb357bc1 |
20 |
7 |
Potentially Suspicious ASP.NET Compilation Via AspNetCompiler |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
58f889a08ad6ce38a9295b6b87119a8d48c26999c14dd5829b08aea2631a5e27 |
20 |
0 |
Sysinternals PsService Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
647bce287d915da46bf01fa65706878514260f75bea7273d4c5eee115ac0b031 |
20 |
5 |
Add Windows Capability Via PowerShell Script |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f0193a082ffec8bb49a0621541982fe0c6a2ba5f5b536f62789f83021ee4270a |
19 |
12 |
Bad Opsec Powershell Code Artifacts |
ok @securonix invrep_de, oscd.community |
Sigma Integrated Rule Set (GitHub) |
c536e387a5fd3183e46be3c9a492ab73e5ade9b45179341ea25fcfe383cee92d |
19 |
1 |
DD File Overwrite |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC |
Sigma Integrated Rule Set (GitHub) |
ae140eaae48e1659eb9013e9c7758cc3ebb59100fc5bce9ede4e8a0ca0fb76b7 |
19 |
19 |
Exports Registry Key To an Alternate Data Stream |
Oddvar Moe, Sander Wiebing, oscd.community |
Sigma Integrated Rule Set (GitHub) |
9695789356ce1e4c280773e1a4990ee193bc17704d78da2b4acb48eed6061293 |
19 |
0 |
ExtExport.exe abuse |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
b74bcba954f168601bf9276abbb38f732599a67e11aa264ce29f8bc3f056aed3 |
19 |
15 |
LSASS Dump Keyword In CommandLine |
E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5e648013d43c5992b13c647c1b522a289f737e3c1ef665572f75f913fde57c5a |
19 |
6 |
PowerShell Downgrade Attack - PowerShell |
Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements) |
Sigma Integrated Rule Set (GitHub) |
68dfd4dca345ef6d2fe87835db75f6e538426102929780a6f37dddb7730cb7e8 |
19 |
0 |
PowerShell Get-Process LSASS in ScriptBlock |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cac21fdc92116671a9e24502beff8b3cc9b77c6d7a23b8f10aefa65821fd9014 |
19 |
1 |
WMIC launch script from xsl file |
Joe Security |
Joe Security Rule Set (GitHub) |
cc58aa96e11657d0df0ee460019755b19a5929a979fdadd56569d6b35c03fdba |
19 |
0 |
Credential Acquisition via Registry Hive Dumping |
Tim Rauch |
Sigma Integrated Rule Set (GitHub) |
ba431c90356b826afe0f0c811dab13c54cbe689123f1167962b6bd8f23edbb25 |
18 |
0 |
File Encryption/Decryption Via Gpg4win From Suspicious Locations |
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
18478181b6b617e46cc3c32642d9a39ff265353a398f2aa515a11e6b0fc2097e |
18 |
0 |
Forfiles.EXE Child Process Masquerading |
Nasreddine Bencherchali (Nextron Systems), Anish Bogati |
Sigma Integrated Rule Set (GitHub) |
32fe36abb39d468ad23cc377de33068c295dce79c9d36eb1c0b7fc94d2012270 |
18 |
16 |
LOL-Binary Copied From System Directory |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f3c07a8418c3bded0e6f5bc97177ca9d501ba33f7bc9936b907b11f939603b14 |
18 |
0 |
Netcat The Powershell Version |
frack113 |
Sigma Integrated Rule Set (GitHub) |
afccc7dbdf0a361ce026bc9a376283952eb427865b9051cc07fd5ff5ed819482 |
18 |
0 |
Potential Suspicious Windows Feature Enabled - ProcCreation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
357a1509ab7f78c2a398c655fccc9dc788108fb9790efbdce90601bcd6d4b4de |
18 |
9 |
Renamed Sysinternals Sdelete Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7d63599d287fda108a45075e54ff5b89384e0fbceef8bccec56b981f485b278c |
18 |
1 |
ScreenConnect - SlashAndGrab Exploitation Indicators |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
23407cdf316994ee153a1d8c66bd52f5a92b9564c834831e984ea04d66dc2f92 |
18 |
0 |
Suspicious Debugger Registration Cmdline |
Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
bf194ab090c7130529a9fd6a7f876d5fc008ceecf627db81eef41431ffaa3c53 |
18 |
3 |
TeamViewer Domain Query By Non-TeamViewer Application |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7f5bb3e63c485ed446ed15d107875dc222ef1503df0aa3b709ca9bd920eaba52 |
18 |
8 |
Wlrmdr.EXE Uncommon Argument Or Child Process |
frack113, manasmbellani |
Sigma Integrated Rule Set (GitHub) |
67d3612b65ef2b4db5ee2d86f8437cc82d5e33395a852f7540858df8738250fe |
18 |
0 |
Bazar Loader Detection (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
6e25203533b4bcc3b9ce1805fbf4ec196d2fd6139dcf17880caf0e2952c3ebfe |
17 |
0 |
CrackMapExec File Creation Patterns |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
025208b5b73f1640ce17844eb62f40d4ee3a9bf72b84c9cf66b9777b72e2ed33 |
17 |
1 |
HackTool - GMER Rootkit Detector and Remover Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e47f51603e07d3225e0193822f65d9ce5fb78441750008f7e5ae695626585c7f |
17 |
0 |
Indirect Command Execution By Program Compatibility Wizard |
A. Sungurov , oscd.community |
Sigma Integrated Rule Set (GitHub) |
d4b25cba1a95e034ae6766147690611472b8ce274332b1aee27da6faa04335a0 |
17 |
1 |
MedusaLocker |
Joe Security |
Joe Security Rule Set (GitHub) |
210f9984c24831780960074692a8e0641937345a359f29224036fa53ab77414b |
17 |
0 |
Microsoft Sync Center Suspicious Network Connections |
elhoim |
Sigma Integrated Rule Set (GitHub) |
c122f750d19364e5cdb16e7fcce3cd01da31e9d258cfd5dc255864758d7d44b9 |
17 |
0 |
PktMon.EXE Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2718243600ba0f2b3eed38a165f571cb8da2eeb23fd54844632d62088a47ad03 |
17 |
8 |
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b027ab789fb9aae6408830caeec9ddb51799862bf5bc8adc8cfe393d6483a66d |
17 |
4 |
Potential Persistence Via AutodialDLL |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
164cdc408856848b0eb1ce6165a865e2b8dbd9fcf0b5aa393fd7f1af640ff05e |
17 |
0 |
PowerShell Write-EventLog Usage |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fa5822a3aeab0960eda08e8d46a8126db47dc54aa6a0e0ae7a7163dc7fe9746e |
17 |
10 |
PsExec Service Child Process Execution as LOCAL SYSTEM |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f568e89bc8387361d0bc168c8a46059280d10de1ecffdc0e99533b7b290401af |
17 |
1 |
PsExec/PAExec Escalation to LOCAL SYSTEM |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
95ab10477326346ad231600df85597b403502c24947739b6a2b5bf75469a3024 |
17 |
4 |
Shadow Copies Creation Using Operating Systems Utilities |
Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
16e1527c32b0f67a6b8e3dfaa73ba62c13f73f46a6b0d5962dd823d9ecac933c |
17 |
4 |
Suspicious Child Process of AspNetCompiler |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
740b947f37e23aebf12426023d92751904b9df145f63f09b91fdabf8d5aee1bc |
17 |
0 |
Suspicious Key Manager Access |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c7e5c778b0f4b6273f393fd9e32d97fe4145b2b1b3a8de87a9e02cd66f9c4383 |
17 |
13 |
Use of OpenConsole |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a98f3c123f3a93c1b00c4d125f1350e14a15b206767e6a109767a0229611baa2 |
17 |
17 |
wmic launch powershell and execute encrypted script |
Joe Security |
Joe Security Rule Set (GitHub) |
016a456c70d6e45a65219e2ee0e3972cd7104bf98c318e2f088a07f71fde0d43 |
17 |
0 |
Alternate PowerShell Hosts - PowerShell Module |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
5b34558f1c4d3065989635055533ba223585e99be44e2b0e319dfc6946c50ee2 |
16 |
10 |
Dacls RAT (Lazarus's Linux Malware) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
79cabd2716a91ac3ac201a106a3c135e584d110d8527ac138457a5b89fb2b2a6 |
16 |
16 |
HackTool - SharpChisel Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
23eb4319cc6c1995a632adb591fa9b089822a7ef6061519fdc43832fac6bfb69 |
16 |
2 |
NET NGenAssemblyUsageLog Registry Key Tamper |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1c1e1293dd905ae64df7a2e7f1182a624c3a618d411c80d0aff46ed4562d6da4 |
16 |
0 |
New PortProxy Registry Entry Added |
Andreas Hunkeler (@Karneades) |
Sigma Integrated Rule Set (GitHub) |
e95b67f51925e56d5e1ce56881ff5e65536dbd80108577670b3adf94d708f2e7 |
16 |
2 |
Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
9c3168b8b2ff965a5cf3ed36f4ce722df9e09021fbbc44075916c77d2132bc8f |
16 |
7 |
Potential PowerShell Obfuscation Using Character Join |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c4862257a12a109601071c91c17d133a44fa8e8b4a3f950b8bee653e573678bb |
16 |
4 |
Potential Remote Desktop Tunneling |
Tim Rauch, Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
b0551b45d814be91563636b774668bc85acfc296a30640e00aa036f4813d0809 |
16 |
4 |
Potential SquiblyTwo Technique Execution |
Markus Neis, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
293439c3a9a4af09073b054953f425c95028a6ac98eddc611a461090bd1f3373 |
16 |
0 |
Private Keys Reconnaissance Via CommandLine Tools |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2a86897d4c284135c8e21105377149da6e12d9f57525bfdccdfb55cf4b3425fc |
16 |
5 |
Raccine Uninstall |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ce4fb10349cd95756b2f98a27b259d71c99ec9e0323815f2e916737fcbd1d4ba |
16 |
0 |
Remote Access Tool - ScreenConnect Remote Command Execution |
Ali Alwashali |
Sigma Integrated Rule Set (GitHub) |
12aa67b79c3edf7fd84e93ece836d07fcd28e945a17f4c2210723213ffb42055 |
16 |
1 |
Suspicious Processes Spawned by WinRM |
Andreas Hunkeler (@Karneades), Markus Neis |
Sigma Integrated Rule Set (GitHub) |
dff6f482b1c3296a1eba449d732fe05e7b9a61f56c3849298ee9d06cec81c941 |
16 |
0 |
Abusing Findstr for Defense Evasion |
Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
47d19568dce3538a5fd8f2ddbd8388f28dbd91d200dc9a91d8166cb957ace155 |
15 |
8 |
Anydesk Temporary Artefact |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e10fbca4d86522aeac83abdc331770c474bf85a4fbe87cff23642eb6a498969a |
15 |
3 |
CertReq.exe Lolbin |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
bc9b5e9188d37350da57ebc0b5b9ccc8a2ee828e827a15edb38904b64317a291 |
15 |
2 |
HackTool - Dumpert Process Dumper Default File |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f98998b2f0e9bb08954d741777bfdb257c7cb3dcce96f88af84ecf966e2e5695 |
15 |
0 |
Import PowerShell Modules From Suspicious Directories |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8d3babfc30026e6742962ab48698047f9a8036f0689ca28804828a0f4c74c1a6 |
15 |
14 |
PUA - Wsudo Suspicious Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
52ed387697917fea6508ac90f395dedf45d52b74d34188d52bf6be42b4ab9697 |
15 |
4 |
PowerShell Set-Acl On Windows Folder - PsScript |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
afd1a2b3a7d64a4c20cc388003d71422020c407abe143fe186e350fdcac57a3c |
15 |
10 |
SafetyKatz Default Dump Filename |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
5b2f81ece2c70e3e5e4dd770e0b9c755c90c099bf527d2b257d43e1193585d13 |
15 |
0 |
Suspicious Get Information for SMB Share - PowerShell Module |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8f4c645fe661dc0ebdeff288f1761a20acf930f02e4c51bc48e6bafc245c1006 |
15 |
9 |
Suspicious WindowsTerminal Child Processes |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
38cc71193a6a791f4d2ddb67fdf3a6baafab25ec9f4c861b11fbdca1c94a3f08 |
15 |
0 |
Cat Sudoers |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
39e0f78f119c00983f3d546cbeed2a8f110ed703f5c5b1b18733a235b5fd0b02 |
14 |
11 |
CodeIntegrity - Unsigned Image Loaded |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b306695b6bb97e25e9d1a099c04eef42798259832fb062ad308fd797016c49d5 |
14 |
13 |
Creation Of Non-Existent System DLL |
Nasreddine Bencherchali (Nextron Systems), fornotes |
Sigma Integrated Rule Set (GitHub) |
3177080de9eacb01db500eb08111e0cbe691a57ed11d8bbeffacd6e8ef6e9b2f |
14 |
11 |
New Service Creation Using PowerShell |
Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7295161a311508a2b2b0c90fa652ea09872640a00c671f294d6a4780a85b83c2 |
14 |
3 |
Office Macro File Creation From Suspicious Process |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8f4f518c1c5f1faa9ad744166d845016dc78c82b4c7f38011fa687462b1afa18 |
14 |
1 |
Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b781bf9d3f406d9c4af525fd205bc5651cf5222b563981c53c4fbd9e36ad1407 |
14 |
8 |
Response File Execution Via Odbcconf.EXE |
Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
18ab8cf17024175e4f1d5ec237de24dcfb16890beb4847d0e90e79e0c59cfc85 |
14 |
4 |
Security Software Discovery - MacOs |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
96f1ded9c8d78d6aecb533a9fdde682e09aa97bc94f4d21bd39577705c1d7547 |
14 |
4 |
Sysprep on AppData Folder |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
76d39c4238c645e864f006400ab59ebda393cfe12db20d6f7ec44eac3b27f6b3 |
14 |
1 |
UtilityFunctions.ps1 Proxy Dll |
frack113 |
Sigma Integrated Rule Set (GitHub) |
49b5176aaffe3fdb7bacc0dff70b5ac48bf0872faf993e311c4f5530db76a160 |
14 |
11 |
Add Windows Capability Via PowerShell Cmdlet |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
684b246bdb157e11d1985c522a8f891d7dfea0ec8d30864c9e2fe04cc9564973 |
13 |
2 |
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
84d018445ff2f74f3d42483a4605f7bf5d16da359866d95b1be54371131e5836 |
13 |
11 |
New DLL Registered Via Odbcconf.EXE |
Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e5548908b8b99ebdd4de66bfaf33ddcef3df5c1a83d217f9809e9a2eeb0a8e1f |
13 |
5 |
Potential CVE-2022-26809 Exploitation Attempt |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a212f91d8c2a0d339c91a9344ae02c2847e74c85458506b719d65b59e4e79069 |
13 |
0 |
Potential Mftrace.EXE Abuse |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
70d88530c350b96b4e059f6e128a58c0cce646e61c82107835f0204bdb1192bb |
13 |
0 |
Potential Persistence Via Scrobj.dll COM Hijacking |
frack113 |
Sigma Integrated Rule Set (GitHub) |
9d0ab0b7154dbe461f0e116296f545e8955e0c85892bcff2de2b680e29ba2af3 |
13 |
6 |
PowerShell AMSI Bypass Pattern |
@Kostastsale |
Sigma Integrated Rule Set (GitHub) |
a7940883a0164e9f8e04f1c88ad85ebf44ddd11d7a06aa93f7c42c3111a33d01 |
13 |
0 |
Tycoon Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a1c44f103e75c8295cdbb587af4bac07f2b77445d54c17a424e7dce924a981ce |
13 |
7 |
Windows Defender Firewall Has Been Reset To Its Default Configuration |
frack113 |
Sigma Integrated Rule Set (GitHub) |
00b96bc8d00802244409c54614fa31f98fe83547c5c43f4fd78e891c16f792e2 |
13 |
0 |
Copy Passwd Or Shadow From TMP Path |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
8ded73daf32e44d8446fc45b91e962b9508d911e85c06d0481f7c4321eba41fd |
12 |
1 |
DirLister Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1f0dfd07d0caa1048bb3bb336c0d72bf884362c570c7a4bd683aa30e5f81ea19 |
12 |
2 |
HackTool - CoercedPotato Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
665180f2daed28e41508871b665e63276343206dad8c8dbd86bd97bab857f5d2 |
12 |
0 |
HackTool - KrbRelay Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
03e06bc61499c16b25ec22e9681f9e9633dc812e30ec543e7a5105ecbf3220f4 |
12 |
0 |
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7943e73e12090a40bcc5a95e498a4655704cd76a8f1cc15acfef595e7f85a442 |
12 |
0 |
Lsass Full Dump Request Via DumpType Registry Settings |
@pbssubhash |
Sigma Integrated Rule Set (GitHub) |
a3907c9a6a9a7e855b8ae2313f70c84cb7ed140f7e46502006474974da28e14a |
12 |
2 |
PUA - CleanWipe Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ede87d3abc8a99be3ca19ab4102e923f13e3f7b181cde6eddea9e6f1593b1e77 |
12 |
12 |
Potential Fake Instance Of Hxtsr.EXE Executed |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
8dd172636988b9cdc1bf44aaceb27f6009d97516c54decea0812022b61cd8d7a |
12 |
12 |
Potential Meterpreter/CobaltStrike Activity |
Teymur Kheirkhabarov, Ecco, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
22ddfce5e8a79e957f4dbdceb97e27d764b010d395a20fd45cf95a20d02b53e9 |
12 |
0 |
Potential Persistence Attempt Via ErrorHandler.Cmd |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
118315680d9be2facc48920f16da11dcf001dcab58a40dfb2466c3118eaaa4b0 |
12 |
2 |
Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE |
Alejandro Houspanossian ('@lekz86') |
Sigma Integrated Rule Set (GitHub) |
a6643da2e3310cc36e0e016ed24d7b75aaab7d235acf5d3e46618b8f2c3d94b6 |
12 |
1 |
Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
810120d4a8fae64091e6c4056b2ff78e02b530e2b6ecce817ed590937d637f16 |
12 |
2 |
Renamed BrowserCore.EXE Execution |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d41dfd30129ef96d21bf50a0af9161636d21ec67ec25000786a06ba54a7cb7b7 |
12 |
0 |
Scheduled Task Executing Payload from Registry |
X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
746f7076c751ad73e28f35f1b0cf28741457217c7d9eeec546aae0616ccd5ffd |
12 |
0 |
Allow RDP Remote Assistance Feature |
frack113 |
Sigma Integrated Rule Set (GitHub) |
166df8c1d3e7f7c5a9fbd54dfc633614e8f49352354a3f5d9fe7ea04de73be78 |
11 |
6 |
Credential Dumping Tools Service Execution |
Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
25727cb75bc931bc91e433f5340be32ccedd13bf460a2fd8da5b1a8d8b4a369b |
11 |
0 |
Enabling COR Profiler Environment Variables |
Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops) |
Sigma Integrated Rule Set (GitHub) |
54d006ecd6dae89f884b01b6fbaa0d8010a9ab60d59993aa4d10c45146c3b4ca |
11 |
6 |
HackTool - PPID Spoofing SelectMyParent Tool Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1b73c8337d65bc8a945dd977fe40a0c1b9ef6b3e5b6fee0703621d9a088a9e48 |
11 |
1 |
Hidden Powershell in Link File Pattern |
frack113 |
Sigma Integrated Rule Set (GitHub) |
9e321ddc9cddac65fd520665184681e53aedaf0652832edb168aa27ac04e59ca |
11 |
0 |
Linux Recon Indicators |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
89dfaef258fef652c6b4ad4126f6bccece50ba696d0208cfc0aed440c1a9ab20 |
11 |
4 |
Lolbin Defaultpack.exe Use As Proxy |
frack113 |
Sigma Integrated Rule Set (GitHub) |
33c04ff56fdad87a0289647b36de2841f4a6fa4866c8656a4005c9f9048ce732 |
11 |
9 |
Malicious Driver Load By Name |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
906bfd56d8137360d8bf73ae2a77e12c06e9fcf42bbd522bb44ec062c598a74c |
11 |
0 |
New User Created Via Net.EXE With Never Expire Option |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4fa8ae2d822b83429e6b1a89ab0c9e8f9a3e769aedaf64ec7147fb1339f9f2f5 |
11 |
2 |
Old TLS1.0/TLS1.1 Protocol Version Enabled |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e7999f5a682142d347ffd96c83545986ff1386f44917a1a86cc4d39b4fa2b8c4 |
11 |
5 |
Potential Chrome Frame Helper DLL Sideloading |
Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) |
Sigma Integrated Rule Set (GitHub) |
5b77fa52ebf2a5c351fd8dceea7d49b56575b2380b0a9487f4c0707000e2619f |
11 |
8 |
Potential Data Exfiltration Activity Via CommandLine Tools |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
10f9b0f9e2b7be69811ff067e358984311772914e6957f50adf963207948fe4e |
11 |
1 |
Potential LethalHTA Technique Execution |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
c1db9b15fbf203a696f2047d6ce2c7c32283587487a72c4333b63b8005e6a37c |
11 |
0 |
Potential Memory Dumping Activity Via LiveKD |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f0f9d14e111aa91965d2d0a99eb4d846dac08daabfd373803a6a7e4fa61fc4ba |
11 |
1 |
Qealler Detection Rule |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c8b5691bd0f6cb0670869259285160320643f60ba111d9c93b81c6bc5e088037 |
11 |
6 |
SQLite Firefox Profile Data DB Access |
frack113 |
Sigma Integrated Rule Set (GitHub) |
aa3ad15f592c022521aa6e4bc687dc3c181cea9b9343b55e1b909bc937113348 |
11 |
0 |
Suspicious Keyboard Layout Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1e8253d40fd15968a25971ec64e35f84f90536676b445d16184bde41a5fc6ba0 |
11 |
2 |
Suspicious Reverse Shell Command Line |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8e3a8f0b4e0bf72703dfa7509e194c8bd77b591184bf65292cf9c554fe5d7149 |
11 |
4 |
Suspicious Use of /dev/tcp |
frack113 |
Sigma Integrated Rule Set (GitHub) |
acaf2d56329609a17ef157534fe784b3570d4c344a3eff25b493f541a2526056 |
11 |
4 |
Cobalt Strike DNS Beaconing |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ae9cf008e7075ab1e5658ff0f1449d564314bf06bb13fc381dda84df5e63e523 |
10 |
0 |
File Download Via InstallUtil.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
74bf8f7775d6752c01caa0e5567c487ed43033b01b06fd72118ddb922ba1fae7 |
10 |
0 |
HackTool - SharpImpersonation Execution |
Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
94b769b76d6dca121622b8559c3f5ed337893a1ee9dbbe67442d2f649a373b42 |
10 |
1 |
Locked Workstation |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
b1f5ca9566ca9b549b32bfe57eee2e7ec1ae42a47aeba5cdf24c69c64e35dd5f |
10 |
4 |
New Service Creation |
Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0e01e0ac3c9d7b292996c00466851ff64ca8e3aabb384b096bddba88aa769464 |
10 |
0 |
Potential DLL Sideloading Of Non-Existent DLLs From System Folders |
Nasreddine Bencherchali (Nextron Systems), SBousseaden |
Sigma Integrated Rule Set (GitHub) |
a9e64c740dfa885688164e22b515ae2bbf72a98c9b78c4cc612d3789cd06b93d |
10 |
3 |
Potential Persistence Via DLLPathOverride |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
19aedbf22a521287747df9d67d6f407fc9649a0c68f0cc7799c606dc1d952532 |
10 |
10 |
Potential QBot Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0453733ce01d4d10623584c342bf2a905ff761f1fb7b0bfbadcb80e8d940c32b |
10 |
0 |
Potential Snatch Ransomware Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d48381be3227e49cd9d42fdf472184d9e4db1b4fbe72ee6048739f0af5913e9f |
10 |
0 |
PowerShell Base64 Encoded Reflective Assembly Load |
Christian Burkard (Nextron Systems), pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c29bdf15b24c1c0a11c8652a68f53594b306a585e56099b3a1b22cfb438e5247 |
10 |
1 |
Remote Access Tool - Simple Help Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f5bf8f63db9709b4fe83cff6a47977397b7d9b5122302643931941983a6f0d9a |
10 |
0 |
Spora Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a656aafe4c0cca78f1ad9cc5fe8f97b01ab237e247591a7100edef559c032f30 |
10 |
0 |
Suspicious Regsvr32 Execution From Remote Share |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0415bc3e4953b49601e59c9e77f268c8b8163cb32d777dc5a37b169f9fcbd8ca |
10 |
3 |
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code |
frack113 |
Sigma Integrated Rule Set (GitHub) |
37beaf97b85714dccecd452e684c29d067adea49095ddf3ec6631dc8acf14337 |
10 |
0 |
Application Whitelisting Bypass via Dnx.exe |
Beyu Denis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
da46c4a25c9b1a9291dd79b4539957b5ab71a6f2d75da9a90cfe48f74048a9a9 |
9 |
0 |
DNS Query Request To OneLaunch Update Service |
Josh Nickels |
Sigma Integrated Rule Set (GitHub) |
3141ca54d65e69f8e114e2bc754b4e0fdd364ecff79dddb87ef2f62ad895ec46 |
9 |
5 |
Defrag Deactivation |
Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) |
Sigma Integrated Rule Set (GitHub) |
8428866bf6cbf8ea04c18dc9a8ebd493a8a882a9b706b557f71d376cd69fda79 |
9 |
6 |
Explorer NOUACCHECK Flag |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
787401eca6027a528e035e6315ce80b537c4d3bd9944cfaad07ca911aa306675 |
9 |
2 |
HackTool - Hashcat Password Cracker Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
9621c87be63b1ea5e038a8d2759bc0bbe6a5ee4f322b9763fdc06f159d781698 |
9 |
1 |
HackTool - Jlaive In-Memory Assembly Execution |
Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) |
Sigma Integrated Rule Set (GitHub) |
ef084ef7df4d6d338332a4adf3272c6d7b031a4529a2d7030ec19c2a0e0fe9fa |
9 |
0 |
Malicious PE Execution by Microsoft Visual Studio Debugger |
Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community |
Sigma Integrated Rule Set (GitHub) |
833d1e3036176fa960339790e9389d39187ba0c444aa4b1f1d3adc81c860b9fd |
9 |
0 |
Potential LSASS Process Dump Via Procdump |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a6a60c80601bd33b44e65b559f9e53c0b9237ab7f54ca97530065cd494662e3b |
9 |
1 |
Potential Reconnaissance Activity Via GatherNetworkInfo.VBS |
blueteamer8699 |
Sigma Integrated Rule Set (GitHub) |
93d3c8484d953299cdaafb696acdb7e33fd8a569cd8682a0d501a122f2b8290b |
9 |
0 |
Potentially Suspicious Child Process Of VsCode |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2b2fdd02e6d67b114c93dcec1de1de2532845d73efb0b0201ca22e901501832f |
9 |
0 |
PowerShell Script With File Hostname Resolving Capabilities |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
230d92ec3109cf1df60e1e9e3af5b45cd871c5458a607630ae6655e5d373e629 |
9 |
2 |
Suspicious PowerShell Mailbox SMTP Forward Rule |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a9b0d95e9a34c915ab22d89c790c054977cd6411f4fdebffa6e36f09e5376c9c |
9 |
8 |
Suspicious SYSVOL Domain Group Policy Access |
Markus Neis, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ff263a69e24c4173f3baabd03b59d71e2dd4679b248e9bf0851bd9852043117c |
9 |
9 |
DNS Exfiltration and Tunneling Tools Execution |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b5eeb195cf8da826ce09652556c789913808b5869a15ad6d6771d084721b65e0 |
8 |
0 |
Findstr Launching .lnk File |
Trent Liffick |
Sigma Integrated Rule Set (GitHub) |
2db81575319b095e5240489dc39a6070fb3e587fb35a6c988f38cbc71fede886 |
8 |
1 |
LSASS Process Reconnaissance Via Findstr.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e3175b1068c342ed7e05a42913dc8cb72ea0167a81bf24fc620261d4ec40f78d |
8 |
1 |
PUA - Crassus Execution |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
43a1d4f767ed0c719d573fd6ddfd62abcd7f8ebc365f97d7c2f83f9a7eeac91b |
8 |
0 |
PUA - PingCastle Execution |
Nasreddine Bencherchali (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
fd0cd897f506978ff6667a20ae3279271012ea71e5721e9fc659e91605c9ceaa |
8 |
3 |
Potential ACTINIUM Persistence Activity |
Andreas Hunkeler (@Karneades) |
Sigma Integrated Rule Set (GitHub) |
58bd50bf4c2f3dee57aac7f6c2f5671bd781f59b9e71a8c191de01ef8cf53de0 |
8 |
0 |
Potential AutoLogger Sessions Tampering |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
71000aa981db521aed45841e26a97e5761747be7e168201f1ea473ad3536fb85 |
8 |
0 |
Potential Persistence Via PowerShell User Profile Using Add-Content |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9ed950c94ef5dce1af4ac6ba1eb25704edd170e1a75506e3095eb362e63eab6b |
8 |
6 |
Potential PowerShell Downgrade Attack |
Harish Segar (rule) |
Sigma Integrated Rule Set (GitHub) |
c2de0fe89604a2026e004a0872e75e079b8632fcc9ef341e34017c52fbb2eba5 |
8 |
2 |
Potential Remote PowerShell Session Initiated |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
acad8e3e215caeb927f20d9296b9e48f54d909e55d58cb5b27bb4d334ab477a6 |
8 |
0 |
Powershell Store File In Alternate Data Stream |
frack113 |
Sigma Integrated Rule Set (GitHub) |
dabcdcdecebe87ed3085b193d3ed09029f3556672622b42d5759dc816f0b6173 |
8 |
4 |
Renamed Cloudflared.EXE Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
873e85f733935e924e8f1fa74c1f9f11028b553ba91de13826d5333190210b11 |
8 |
6 |
Scheduled Task/Job At |
Ömer Günal, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4b0543e80b3bd16b1e6ea919e7bc4a108b206468266597c7a5147cd615f35fe3 |
8 |
6 |
Suspicious Get-Variable.exe Creation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d3f846e7661da10674d978e09815c9157764a57fc6651e2b2f8cb498cb4220b0 |
8 |
0 |
Suspicious Git Clone - Linux |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b45fda745c28f956a8d08fcefc5abdf9259342cdae5876d32e23f0f97ff99d1e |
8 |
8 |
Suspicious IO.FileStream |
frack113 |
Sigma Integrated Rule Set (GitHub) |
08e71eab529494c6cef4d7f699f5d95c87b1d954ee61b6f061d7005246b726af |
8 |
4 |
Suspicious Process Patterns NTDS.DIT Exfil |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9c132dee2c953c2d2497b3e00b2cf2309bc1f44409b130f0e34af66f9edf8713 |
8 |
2 |
Time Travel Debugging Utility Usage |
Ensar Şamil, @sblmsrsn, @oscd_initiative |
Sigma Integrated Rule Set (GitHub) |
afad13c67de2842888c6d4678ab0ab46d7369e91b6c7fb525482e91294e4ccad |
8 |
0 |
Uncommon Child Process Of BgInfo.EXE |
Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3a9675abeacca74d231073efcc4c362ddc755278240288e69cd34b2f2052cffc |
8 |
0 |
VsCode Powershell Profile Modification |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
59db8591e12ce774c3ed205213760eb2341a6314257edbd898e991ea42d98e80 |
8 |
7 |
WMI Backdoor Exchange Transport Agent |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b02fbc5fd12d501dbd78749545483c506550bfb474efa9683e58ac4b2e4211b0 |
8 |
8 |
Zip A Folder With PowerShell For Staging In Temp - PowerShell |
Nasreddine Bencherchali (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
70e3421aca89a28b1d599aafae9fdd903822e32a691eb39731812bc02f3b9dcb |
8 |
0 |
Blue Mockingbird - Registry |
Trent Liffick (@tliffick) |
Sigma Integrated Rule Set (GitHub) |
047c4b3f6b03d9a7cd611e4baaeffab7d6854460859ecf302466ae225ddaf2c7 |
7 |
0 |
Connection Proxy |
Ömer Günal |
Sigma Integrated Rule Set (GitHub) |
70f387e708b9ab503041091a0b074a7d2aa84dea74f61b398fa6fc3f154dacaf |
7 |
7 |
Enable Restricted Admin Mode To Bypass MFA (via sysmon) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
7b0a12d70498be6b75106baeadc6572fa8f03b6e6ce96998c3c84f14e5dd19a6 |
7 |
3 |
Greenbug Espionage Group Indicators |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f29ccc5a8616c9c1119e794b857a0425268bf5ee86863b612092ec5e045863ed |
7 |
0 |
HackTool - PCHunter Execution |
Florian Roth (Nextron Systems), Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
8046d8e3f3ef408857439eaf28938b362576b464ba00290a73789cfc2fb05d9d |
7 |
0 |
HackTool - SharPersist Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b0c69b8d2020a5d6c12bee42bba9e6d94b6b9045ea1920405133ee19546dbcab |
7 |
0 |
Install Root Certificate |
Ömer Günal, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ec31a3e8dcd4d55b032d9d6697f403b4260762840a75ef84a25fec68f4d78fd6 |
7 |
6 |
LOLBIN Execution From Abnormal Drive |
Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman |
Sigma Integrated Rule Set (GitHub) |
238344575bbb5eb706fb34305ba1e18c4f040fc25f6e6aede8cae2d0bcdc64fe |
7 |
1 |
LSA PPL Protection Disabled Via Reg.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
80855f8a9447aabc3c921b18396835e82ab35d2beb39b56f2d34d156ca2ac9ae |
7 |
4 |
LSASS Memory Dump File Creation |
Teymur Kheirkhabarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b0e4aa7c882545a1b46a09c373f3abc99ee9ad92c5cb99e1b8764356501b3059 |
7 |
0 |
Nibiru detection (Registry event and CommandLine parameters) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
8bbea961d969188574b7fe958c971caadd38b955cc77f21093d7d5d266e4d697 |
7 |
0 |
PUA - CsExec Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b2300d5d918bfa55070c1a6c9eef5422d85306572df402f76d8549d97778851a |
7 |
2 |
Perl Inline Command Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d7702078dd10096eb5abed05e061a8a1faec0e7904a86b6b39f6faaaa294190c |
7 |
5 |
Ping Hex IP |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a78012a975b5cccbdd9caf22ce8a5065aa442b2459190ab2a3a0b39e1eb66bee |
7 |
0 |
Possible Process Hollowing Image Loading |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
fcf7620e2328b946e9b3d0f404695a61a8943ec4865dcb48e4be1d1094ac3196 |
7 |
2 |
Potential CCleanerReactivator.DLL Sideloading |
X__Junior |
Sigma Integrated Rule Set (GitHub) |
a8fd4a570107258e03b26b713f8828ce9b12422ae791b631ae9f0d43db3d7c05 |
7 |
7 |
Potential CobaltStrike Service Installations - Registry |
Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
eaeadfa6378455d35bc7d294a678cf68a5a8c6c2b5417d038a80d96bdf2e76de |
7 |
0 |
Potential Emotet Rundll32 Execution |
FPT.EagleEye |
Sigma Integrated Rule Set (GitHub) |
4e5ef297fadbdf1fbd3c57b71841275af9687495d2f45e59fcbabdba98315434 |
7 |
2 |
Potentially Suspicious File Download From ZIP TLD |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
03db66b3c4d5474f5f84d9a053f19cfcdcf35d396fad150f9e8cef0ca6218550 |
7 |
7 |
Potentially Suspicious Windows App Activity |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8402e63c9283e770df7e32f8492615ebfdafa4151c457b3333e29ee11564c4b5 |
7 |
5 |
Potentially Suspicious Wuauclt Network Connection |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
797b0bc9c2136612087c0b95b2f7917f60d1429162e72a7207861e247618dae3 |
7 |
0 |
Query to Ammyy Remote Access Software Domain |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5d5ea99f7c040a6706db9d67e16b384eebe02132d410d1f9edc4131c8045469f |
7 |
0 |
Renamed NirCmd.EXE Execution |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1240085183732053f634278b3248292410a8e5db2568b88f00d683a99c69995d |
7 |
0 |
Renamed PAExec Execution |
Florian Roth (Nextron Systems), Jason Lynch |
Sigma Integrated Rule Set (GitHub) |
58a87adff5b80f1f00537e13c96a7a3ca3c24b661fb3d6f998ed9a120ad72ccf |
7 |
1 |
Root Certificate Installed |
oscd.community, @redcanary, Zach Stanford @svch0st |
Sigma Integrated Rule Set (GitHub) |
80e21a1883c10ba77d6f4a1b0b6903e9ba65d57e1874d2cd81b121f762481c64 |
7 |
0 |
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
413ab718402521225cd65e7866d07b849a38758c52a3bf913da2fcc4bce26ab3 |
7 |
6 |
Third Party Software DLL Sideloading |
Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) |
Sigma Integrated Rule Set (GitHub) |
c928de859419e27752e8b2fccceed03920e3be606bd678e119c3d5fe8ee94a9a |
7 |
1 |
Typical HiveNightmare SAM File Export |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f89983755305fab46f3677edade72743effd233979db77ffa6c51a9d1fb4a18c |
7 |
0 |
Audio Capture via PowerShell |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
db002a5ffd8be8305184d197dda045b272ab439c9fc205a6ce985e3eb911df70 |
6 |
3 |
Bypass UAC via WSReset.exe |
E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
ced1e1a1282b5d51ede1ac7a7dcc08496c538aeeb8bc6ecc1f72af56cd773d04 |
6 |
0 |
Detection of PowerShell Execution via Sqlps.exe |
Agro (@agro_sev) oscd.community |
Sigma Integrated Rule Set (GitHub) |
541caef712c71465ca223d69670a2ef4826f41323f21f161bc699c23ba201602 |
6 |
3 |
DirectorySearcher Powershell Exploitation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
59fea38f0030f37a8b1bcefb7450d7a94ba474f5e72db8b8f7a4850d643ad2e3 |
6 |
3 |
Drop Binaries Into Spool Drivers Color Folder |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2ef7bdcb98df6e413074966907c161b915f676e3f947a452e418049eeed22b75 |
6 |
0 |
Execution in Webserver Root Folder |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d11dfd4a7ffb536505adf98a4b97c1540b6e89a26661bf9f238b4a4d8f3133a9 |
6 |
2 |
Get2 Downloader |
Joe Security |
Joe Security Rule Set (GitHub) |
959a4fa9a66799f33b7f7ea4c82ec1869a3031768b47d0a7be1221b66ee355bd |
6 |
0 |
HackTool - PurpleSharp Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8cdb5f2da7eb9e3002ce4bbdd8a373b7dcd25103b4373f9b672e54f74c5316e0 |
6 |
0 |
HackTool - SysmonEOP Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6fbc0321364b37bef63538725c9c7e8e9c0702db310e3060a5da9d201d72a796 |
6 |
0 |
Macro Enabled In A Potentially Suspicious Document |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7210b6208abd6826bfdb8d8666ae792549157fe8070e355cad577fd8f9ef6499 |
6 |
0 |
Mshta Spawning Windows Shell |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
464455b93d1b76acf868754cca0e609af558267671ad641714ca27a923efb9ba |
6 |
0 |
New BgInfo.EXE Custom DB Path Registry Configuration |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2290f63e826d0001c4fa42b39ec48d3a1e3aedc34b3635748ac20257cccc3bde |
6 |
3 |
PUA - Potential PE Metadata Tamper Using Rcedit |
Micah Babinski |
Sigma Integrated Rule Set (GitHub) |
8eb59cf451fc1b4a57d9996082ad83751d5fe59d20e9b3562534ccf7fa0a07ab |
6 |
0 |
Potential Network Sniffing Activity Using Network Tools |
Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e0fec53c12094131d1b4e307c8e9dcea040e6d3cbb6b5eff0144c5a71473253d |
6 |
3 |
Potential Tampering With Security Products Via WMIC |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
deb3cdf84cc34aa311e6bb923cb0b259584940b4e6d724a32706971b5147607f |
6 |
1 |
PowerShell Console History Logs Deleted |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c46b249f0117bfe33cadfcaf2c8bdae7fac2bdb7d0cd559e546090de4fe930f0 |
6 |
0 |
ProLock Ransomware Behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
6f434a5ccf3c234c99a17756d76f7690d09d6c565f238cb77186e687baae2278 |
6 |
0 |
Registry Persistence via Explorer Run Key |
Florian Roth (Nextron Systems), oscd.community |
Sigma Integrated Rule Set (GitHub) |
1e3577ce99797b69eb40df7b9839ea82c3529cc36c44fdf5f4966c1966c44799 |
6 |
0 |
Remote Access Tool - ScreenConnect Server Web Shell Execution |
Jason Rathbun (Blackpoint Cyber) |
Sigma Integrated Rule Set (GitHub) |
daae21f683167b21c52b2d5cf76621dcdb8d8f60b79337e74692181948d4cee5 |
6 |
1 |
Remote Thread Creation Via PowerShell In Uncommon Target |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b6b512a36600d72d464945b37dc5edcb606a3e429979c7f50e117d9a428ebaeb |
6 |
0 |
Renamed PingCastle Binary Execution |
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
eae130a350341508858739da2c40e1c506012a525ad9d8b3b5d36b422f8b929e |
6 |
2 |
Replace Desktop Wallpaper by Powershell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
0f1aa746beaad206dc77bb8542a498967f1fb26e0677a3fdf90cfd5cf5c22a75 |
6 |
2 |
Suspicious Cabinet File Execution Via Msdt.EXE |
Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113 |
Sigma Integrated Rule Set (GitHub) |
4c0f8984146566700f953eb45fc4781e3347270de34abc6768ebafe2403c457b |
6 |
2 |
Suspicious Package Installed - Linux |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
88da3a6d05ee5ef259c6d116e0929c1d37d2af45f89850ee23e504ea0c83de04 |
6 |
5 |
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a8a088c8f88e78c7cc5ac33b30194b8a3087f2088063a607ae95d5f4ea54e273 |
6 |
1 |
Use Get-NetTCPConnection |
frack113 |
Sigma Integrated Rule Set (GitHub) |
84f3662b966321c45129926b0bf88e5845313e0cd9f0b7ec89f79f37c2fbeaef |
6 |
1 |
Certificate Exported Via Certutil.EXE |
Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
979cbccf990be909d4f159a82102389c4c0c7f925d721346e5eeb3ec66af615b |
5 |
1 |
Change the Fax Dll |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1cd0c62ae8a59243c600f2ecbb1c6b3e7b207c19dfdbc91defb8557cdfecef34 |
5 |
2 |
Custom Class Execution via Xwizard |
Ensar Şamil, @sblmsrsn, @oscd_initiative |
Sigma Integrated Rule Set (GitHub) |
c0bd5b42809f6cdda07709c25bc0f42cbb0a674ce80ec8c63788ef1efd31cdc5 |
5 |
1 |
Detected Windows Software Discovery |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
01357d5e887b9f5de970cbdf4e5303b1faff6ff0de49e5ae4c516f933c8a951b |
5 |
2 |
Execute Scriptlet Via Regsvr32 |
Joe Security |
Joe Security Rule Set (GitHub) |
568224310775bb02fb9ae53d55d8f7c8bc1daf93e73db7670b15f8b6f421f00d |
5 |
0 |
HackTool - SharpMove Tool Execution |
Luca Di Bartolomeo (CrimpSec) |
Sigma Integrated Rule Set (GitHub) |
52709f1d022c43ed380f17238c6ef21a8c776d68962ee8bb294257a122e3f27c |
5 |
0 |
HackTool - Sliver C2 Implant Activity Pattern |
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
37af4676baf9c863ccb2ca099ad1368020d8f1969b80a3e8a21065525136ff56 |
5 |
0 |
Invoke-Obfuscation STDIN+ Launcher - Powershell |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
8bc4688c4e1827de8ac2769dd693f5ee1d6a3dd731e0fa459a1d47788bc3ab77 |
5 |
0 |
Lolbin Runexehelper Use As Proxy |
frack113 |
Sigma Integrated Rule Set (GitHub) |
0335799533ff0b89a5009e68973be7f6433ddf66282123e1845a58a8e8ec7b87 |
5 |
0 |
MSExchange Transport Agent Installation |
Tobias Michalski (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7e012de38821878c4217e8f825643266daebb69300fb51da895c540db3ca6916 |
5 |
4 |
NotPetya Ransomware Activity |
Florian Roth (Nextron Systems), Tom Ueltschi |
Sigma Integrated Rule Set (GitHub) |
641862d7e2c86cdcc7b53162395c508471d30b1911e0be65fb335d6208a110b3 |
5 |
1 |
PUA - Sysinternal Tool Execution - Registry |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
35df1aeee1f1078e25bb64a8af513db99a7df8736e4847041fddacedf6b747c9 |
5 |
0 |
Potential Discovery Activity Using Find - Linux |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d11f1faaade0dee2c5c9802c5ca3156a6b215ab8469e61f9b18a1632d913c1b5 |
5 |
3 |
Potential Discovery Activity Using Find - MacOS |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5d89a75781e7f83d35cd5bbf56e6ff75e28edd5893d5b4e2b423fcb909152679 |
5 |
3 |
Potential Netcat Reverse Shell Execution |
@d4ns4n_, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
48eb2cf6fbed9e5a8ecd06131da8406600394a1db3ad8823802706b906a09f7f |
5 |
3 |
Potential Persistence Via TypedPaths |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ecac746e53261713779b4a2d6976c0747dd23e09ae800760119a4aa26f4ee527 |
5 |
0 |
Potential Rcdll.DLL Sideloading |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5ff2611b9e4afd1b48de5dbd0767a94154d20da0dcd882c34d36627964c17e70 |
5 |
1 |
Potential Register_App.Vbs LOLScript Abuse |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
cff1e1978dab401a82f456bac2436b263ce457f5ad9e3283c8d77f7ab885b87a |
5 |
5 |
Powershell download file from base64 url |
Joe Security |
Joe Security Rule Set (GitHub) |
197268256285c42b2e838f027388654e2a212ce987a525c6d95784c7abb2d786 |
5 |
0 |
QuarksPwDump Dump File |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4517db7f1f005bd0a18fc8081dbef15a21dede187d618c62699e3b1d8668580b |
5 |
0 |
RDP Login from Localhost |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
3895d9722610797e2eb09dca91e1a804bb4eec6cc1ca5b81a937f13e4adc81f6 |
5 |
0 |
RemCom Service File Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
aaf9c0f6fae3f23d344e3886423f727248cb280156f92be90557e288adfb51d9 |
5 |
0 |
Sensitive File Access Via Volume Shadow Copy Backup |
Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2904a54d46badb30ae1eda5e935bcbcc71f8a08303a31fb68bf9e1fb8f0f0858 |
5 |
2 |
Split A File Into Pieces |
Igor Fits, Mikhail Larin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
712e9f7f7214c248ff6777f914a1cf282ba49bc580bbbe4bb40a38cfacec7927 |
5 |
4 |
Suspicious Non-Browser Network Communication With Reddit API |
Gavin Knapp |
Sigma Integrated Rule Set (GitHub) |
fb3b178eb2ccfc3d8efba6b381a3e6aa0dd226e4216ac1d696066c8cb6be3594 |
5 |
4 |
Suspicious Registry Modification From ADS Via Regini.EXE |
Eli Salem, Sander Wiebing, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7d40150efe45672b8a7928c4d3ccb55e1238e89ead72dc4a08390a907fc57c17 |
5 |
0 |
Suspicious Wordpad Outbound Connections |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5fdc0db01908f4a29aeb14a39db1c793260932e8fb9aa97303e48ec06d68ec24 |
5 |
0 |
SyncAppvPublishingServer Execution to Bypass Powershell Restriction |
Ensar Şamil, @sblmsrsn, OSCD Community |
Sigma Integrated Rule Set (GitHub) |
8326a878ec5c1017e74941a7f45b60cfacf514ecaf4c2f5a787bfbecdc6bdf84 |
5 |
4 |
Touch Suspicious Service File |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
4c152035fe4a156a8598afe425e00c7fa018704640cedc3fc083405840db2324 |
5 |
2 |
Unusual File Download From File Sharing Websites |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f57e9a5165fe649d867e207c503dd53a05dbd5175c68be9a369174832afc8614 |
5 |
5 |
Usage Of Malicious POORTRY Signed Driver |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b6bbc36542c77f8d058bdc271a081010f06acd3d3b84465a3ab065bc5723eb46 |
5 |
0 |
APT 37 |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c53c2f741a37b554e1a5a16737f3c6f27a5818e8474ade69f599e8d18b6df51a |
4 |
0 |
Cloudflared Quick Tunnel Execution |
Sajid Nawaz Khan |
Sigma Integrated Rule Set (GitHub) |
202614b23ae8dbee79f1e984787e29f1b16b9952b40ce6cc71429a32fa9cacf6 |
4 |
4 |
Copy From VolumeShadowCopy Via Cmd.EXE |
Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
afa46c9c99b3c76a0450a8c7dface8fa7a53dda1c62644f81fd73ced0a0d096f |
4 |
1 |
Disable Powershell Command History |
Ali Alwashali |
Sigma Integrated Rule Set (GitHub) |
9bad9ab33b286bb06b80490c60a3b9a1136560cf838d47ba48b3384b762267e6 |
4 |
2 |
GAC DLL Loaded Via Office Applications |
Antonlovesdnb |
Sigma Integrated Rule Set (GitHub) |
10c0778367f03c51cf9136815b90c0d7a820fa857a135c645c55014481fd1395 |
4 |
0 |
Group Has Been Deleted Via Groupdel |
Tuan Le (NCSGroup) |
Sigma Integrated Rule Set (GitHub) |
985e3f8e0a9e16b289aeb9790dca44cc4fba4b0bc7ea20ad82dec4aee0ffb216 |
4 |
4 |
HackTool - EDRSilencer Execution |
@gott_cyber |
Sigma Integrated Rule Set (GitHub) |
79d4d5d30b70f2ddc17cda1ca9f2f714a7e883df62fcb6b55b6d426dee3a450d |
4 |
0 |
HackTool - Quarks PwDump Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
83fcbb048fc301513c7de88d6b54f969a6cbb28bee2de22baf8a56ee7c454e81 |
4 |
0 |
HackTool - WinPwn Execution |
Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
75a67459e117421972b0c39ee9d1c2780a77f3110cc7fdffde53730cdaa7bab4 |
4 |
0 |
HackTool - WinPwn Execution - ScriptBlock |
Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
608e6316d5e2bab30263ce4e9c051683feba8e73b13892340fdc8f3e39513ad3 |
4 |
0 |
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols |
Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea) |
Sigma Integrated Rule Set (GitHub) |
4c210a3b529cf299f6fa37ab319ba3210295416f01a975321a00c8d6e61fe960 |
4 |
0 |
Indirect Command Execution From Script File Via Bash.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
11020bcf53b965fedad4d6de4a0a624f9821c338f483405ea18ded010a551c50 |
4 |
3 |
Jacksbot (Registry event and CommandLine parameters) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
eed56e9a26e865b9accdc5a4ef7e681ca4b83deb2c6f21a65d28cac9e28547f1 |
4 |
0 |
Mimikatz Kirbi File Creation |
Florian Roth (Nextron Systems), David ANDRE |
Sigma Integrated Rule Set (GitHub) |
95885fc26cc231b01a2aec40f7e62fdfbb58e544c344b8698f80b7d9a67488df |
4 |
1 |
NPPSpy Hacktool Usage |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fe93afc27b2b53b9e4deb1b29d0172ddf97ab492beba618fda8529d8eb602bed |
4 |
0 |
Netcat The Powershell Version - PowerShell Module |
frack113 |
Sigma Integrated Rule Set (GitHub) |
53b2cd18791dffbcc1b31b49b26f0068d68f366bccb84e299cb79ddcccaf04ee |
4 |
0 |
New Hidden Tear ransomware variant |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
92dd4e3ca17ea4f0bdfb71304a8fcbbd234749a15c0c26579fac17253c4b2463 |
4 |
0 |
Operator Bloopers Cobalt Strike Modules |
_pete_0, TheDFIRReport |
Sigma Integrated Rule Set (GitHub) |
e730bec5d212d6a2c262a97a77cb0b3bf1ba182161a6648b1a4cf4936fede01f |
4 |
1 |
Permission Misconfiguration Reconnaissance Via Findstr.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c26472b8ef978b2519ce5cb30b5d30baa08b0717a6302fcbfc81a2c8ebde884b |
4 |
0 |
Possible Applocker Bypass |
juju4 |
Sigma Integrated Rule Set (GitHub) |
b9996fdb64c94bd97526744b8287a3b3b02ac4eceff0980c672209adae0be6e5 |
4 |
0 |
Potential Credential Dumping Attempt Using New NetworkProvider - CLI |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4777339ddbbc4185feac4c036855d36de485c1178bdd82acf02e02b9b3792f27 |
4 |
2 |
Potential Credential Dumping Attempt Via PowerShell Remote Thread |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
ed3831d20478d9b3e7a4bada4351902574fc0eb36fbfd51032119c477b94e4fc |
4 |
0 |
Potential Exploitation Attempt From Office Application |
Christian Burkard (Nextron Systems), @SBousseaden (idea) |
Sigma Integrated Rule Set (GitHub) |
5b693c1a0e1c87bcc7e8b870deef8f3f2c0aa4be921233e7ff5379f3b1f85dfd |
4 |
0 |
Potential Persistence Via Netsh Helper DLL - Registry |
Anish Bogati |
Sigma Integrated Rule Set (GitHub) |
4b4cd16c122f46fa70660a3d40c309ad3aa316bb78e9d0c38261a9e876f12932 |
4 |
1 |
Potential Persistence Via Shim Database In Uncommon Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4ab73e958ae7c677f546adaf223074983fa1112cf7085c97a5dc943e6698e822 |
4 |
0 |
Potential Registry Persistence Attempt Via DbgManagedDebugger |
frack113 |
Sigma Integrated Rule Set (GitHub) |
0764cda98bb00fbde3294e28d5bb3b95797a31d8931448c764caa0743451358f |
4 |
4 |
Potential Signing Bypass Via Windows Developer Features |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
986893b548623816b5ae487b1583f58f990d71c70832d8464ad658f66e9da4b9 |
4 |
3 |
PowerShell Core DLL Loaded Via Office Application |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
246dcaa188fd410c547358799f25f6bc9452279b6460d09f2655d188926848ea |
4 |
0 |
Recon Information for Export with Command Prompt |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e49a78894a2986a5fb30eb4ab25cd648d87db2a35906c29afc8fa6d7664f5e63 |
4 |
1 |
RestrictedAdminMode Registry Value Tampering |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e448d82f06478af407e6d655ffbea46e7a876deeda7f5ab28f9de6183e6708a4 |
4 |
0 |
Run from a Zip File |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5cf936f9d2feaada449504fe406fc44b2ee6f674a4433863662f135096618431 |
4 |
2 |
Running Chrome VPN Extensions via the Registry 2 VPN Extension |
frack113 |
Sigma Integrated Rule Set (GitHub) |
09e6a0408f2c734eee75232ab5bc1dd09b1be6e414b3e10b4d2f9efdd69c2311 |
4 |
3 |
STRRAT Behavior (Sysmon Detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
37be2d5ff063bab1272d9db26a35c83920a7ad21e155ae6c12c1730446b5194d |
4 |
0 |
Scheduled Task Created - Registry |
Center for Threat Informed Defense (CTID) Summiting the Pyramid Team |
Sigma Integrated Rule Set (GitHub) |
a586d9331b4964f9cac6b848f49a3c0ebfd82bb006193f6220dc52c27f525623 |
4 |
0 |
Security Software Discovery Via Powershell Script |
frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f02d9a0f1e4d862f9d1b1d10a2f43de36d855212d5a70b671a8493d53a1b1722 |
4 |
0 |
Sodinokibi |
Joe Security |
Joe Security Rule Set (GitHub) |
c2ebed9de5119e2fc16078d56ef8c2d3fc9637ba785aa7893fe5cd6a3e1a3ccd |
4 |
0 |
Suspicious Certreq Command to Download |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
90480b0d96dd273a177b536ad0b17f114b0426bdb4c6e04d4692da954658bac1 |
4 |
0 |
Suspicious Reg Add BitLocker |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1e5c4651907cea569ba4493fc4d9c634d654da730dcdfa36412180bfb694dba9 |
4 |
2 |
Suspicious Scheduled Task Write to System32 Tasks |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3da113395881b8606ab35684394038c9c59eb8dae1b899ed92a2c40df104f5aa |
4 |
0 |
Sysmon Configuration Modification |
frack113 |
Sigma Integrated Rule Set (GitHub) |
abdfcf563f91cb4c9b132baa9fd47b92a1e20294c09c02d7571f6fe5505f21d7 |
4 |
1 |
TAIDOOR - Chinese RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e3cdbb4de2c006685f06e358196d7f41ab1098005328b93d9834acae72ddaef0 |
4 |
0 |
UAC Bypass Using ChangePK and SLUI |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a334f66679d3e373f49f08113614e79457c624e8ef315085de12c285bc5d7d4e |
4 |
3 |
Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
213f3b50d46266ee33bedcd7b9691e39509b532ecaac33a9bd6bc6b9ebfdbc12 |
4 |
2 |
WhoAmI as Parameter |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
31e555cd1c55ce445dfd8bd7c10843187298b45b39b33ddf41b5bce83e212c86 |
4 |
1 |
Wmic Launch regsvr32 |
Joe Security |
Joe Security Rule Set (GitHub) |
4bd4adb7096f2875c9d4780cebd4f8cc5d8f98ae072aa38aea08cb38ea623042 |
4 |
0 |
Adwind RAT / JRAT |
Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
211f7156257e48d853aa431ddfc3fc7b86ca8dabc95f61553575d821ab58fd76 |
3 |
0 |
Arbitrary File Download Via IMEWDBLD.EXE |
Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
43e02140c577391f4f448dee2a5252a421485f65e30fb1a8c5100dedc59e6111 |
3 |
0 |
Check privilege of CMD via whoami |
Joe Security |
Joe Security Rule Set (GitHub) |
07a05a43e0384cce9c41d6cb6ed256ebce6aea8c6455db044d755ece6063babe |
3 |
0 |
Conhost.exe CommandLine Path Traversal |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ae01473f6fb2564e81d4c6e62699b0c4458725e8a9aa178c9ac3841d5af3b1fa |
3 |
0 |
Disable Microsoft Office Security Features |
frack113 |
Sigma Integrated Rule Set (GitHub) |
db422d3f89e405109467a926cbee52085ff1a33cf97bc054529a03a316dafa2e |
3 |
0 |
Disabled IE Security Features |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dd832d1e805b850c68be7f120da6482e6126a8ee0860e3355d54604a2040eee7 |
3 |
0 |
Drops a DLL with WLL extension to the startup |
Joe Security |
Joe Security Rule Set (GitHub) |
0a0b097696bd0b36b7d1443e446cbff6c2146d7a93cacaf2838ed0fe366b61d9 |
3 |
0 |
DumpMinitool Execution |
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dd9440afb1ca0cf7997134c36af074fb136e90414cfd1d56903ab43e8c52b253 |
3 |
3 |
Equation Group DLL_U Export Function Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a6d1a36dcfe72a6d78f5dd3b78c79bc294296460a9b3adcd993bdd6409046c7f |
3 |
0 |
Esentutl Gather Credentials |
sam0x90 |
Sigma Integrated Rule Set (GitHub) |
477a3302165776826dc440702e8eaed12303d2f1dc7a0fc02eb400d3f82f2e6b |
3 |
0 |
Evrial Stealer (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
9d5974817e9c9eeb05c8b60f23de31930c84cb3eb8d247767b7fe7bdbec4ad23 |
3 |
2 |
Execute MSDT.EXE Using Diagcab File |
GossiTheDog (rule), frack113 (sigma version) |
Sigma Integrated Rule Set (GitHub) |
c4a1cabbd4c25e14be0bd98c5770d2e94ad2885f8f505bddcd03978cf4ba0905 |
3 |
1 |
External Remote SMB Logon from Public IP |
Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) |
Sigma Integrated Rule Set (GitHub) |
676272e187514be2245c3e99449f737c2a5ccd25c5cc68d52d965c7638c25fdf |
3 |
0 |
HackTool - CACTUSTORCH Remote Thread Creation |
@SBousseaden (detection), Thomas Patzke (rule) |
Sigma Integrated Rule Set (GitHub) |
7b0f6b7c0939954a4e8dd01dcda83d20044a57808d265a6697c3580fde333062 |
3 |
1 |
HackTool - Stracciatella Execution |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
91b5e23483ca6c8edbfa31c7fb6978213e819e3f968f35d109a7fb75c36c3deb |
3 |
0 |
HackTool - TruffleSnout Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2f2b803c7e154a72c734f5b9d5c3d332b3174757ed624c55dad5a52ad36934f8 |
3 |
0 |
Imports Registry Key From an ADS |
Oddvar Moe, Sander Wiebing, oscd.community |
Sigma Integrated Rule Set (GitHub) |
004a32a3ac811e09e68ff3749364d27bd3064f5a8e6e2869b7b47cc6667b939e |
3 |
1 |
Interesting Service Enumeration Via Sc.EXE |
Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
96388ced606f7e338e6e4e6b4016082f23db8c47bc9c0479bce4b46713bf52f5 |
3 |
0 |
Invoke-Obfuscation Via Use Clip |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
cf3869e5aa623f0e8acc74d1afaf5036cb7bbbcb1418a1af1670aef332fd2115 |
3 |
0 |
Invoke-Obfuscation Via Use Clip - Powershell |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
1c3ea7c0333da16496964e50a5e57012a3b70695f952212351e08d08530da6d0 |
3 |
0 |
Malicious ShellIntel PowerShell Commandlets |
Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fd4e3cdd5f9ec511509a9b456f37f38c1e40597b044a8b780d338b09445fcf05 |
3 |
1 |
Microsoft Excel Add-In Loaded From Uncommon Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4076e4f038a7d6f293f6e47f60dcd57e4300eed4dc9d024dee3f73d33c6cdad0 |
3 |
2 |
Msxsl.EXE Execution |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ae7b576a3a4975bf50b43165f4c1f319c45da44af1dfb0c8ee9476258ac726d2 |
3 |
2 |
Network Connection Initiated By AddinUtil.EXE |
Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) |
Sigma Integrated Rule Set (GitHub) |
b611a24b790a31aad876c02e032c02d5d2c1262d42e4b6dc4d773287467d66f4 |
3 |
0 |
Network Connection Initiated By IMEWDBLD.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
785fda7f769e06444f3d969a9e64bac3cb1625df98e533dffbb90df45425e748 |
3 |
0 |
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d7bf9b098435065f098535225724119d1065101149d54b78b79c5eb2ac3ee9ea |
3 |
1 |
New Network Trace Capture Started Via Netsh.EXE |
Kutepov Anton, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ed43493e84bcb41bf4a6e8d03279fa79baffdfa16300655622641d8b9754d344 |
3 |
0 |
New Virtual Smart Card Created Via TpmVscMgr.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a9f01b952a8701fd70653525eead398a200949fadad6dbd431a57585a2779e52 |
3 |
3 |
Nslookup PwSh Download Cradle |
Zach Mathis (@yamatosecurity) |
Sigma Integrated Rule Set (GitHub) |
6abd8206d99c8274a0842b1790664265abba050503b2bbafabfd33fd68b91cf0 |
3 |
1 |
OceanLotus Registry Activity |
megan201296, Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
5a41f82caece4fe65bbe71be9148baa62a842cabce69fc96f25fcdbf97f8008d |
3 |
0 |
Php Inline Command Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
beb929216e4b57c3b1275c3d5d5bf04fed77445512365bc0d3af736280b5b382 |
3 |
0 |
Potential Active Directory Enumeration Using AD Module - PsScript |
frack113, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
e5d9812b15bcfd11818558302edf1cd1fdc52ea1a6ad66b17bb07eca4d7d8545 |
3 |
1 |
Potential Base64 Decoded From Images |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
d17f74bd10224f28ca8ad151cb9cd1c5e19ae38f0575362101e7e3c2f0fb6414 |
3 |
0 |
Potential Commandline Obfuscation Using Escape Characters |
juju4 |
Sigma Integrated Rule Set (GitHub) |
4ead40e4f0adc5e486cc7911fc0b0b94f05bfe0d27b5f0c2d24e0c803d089fc5 |
3 |
1 |
Potential GobRAT File Discovery Via Grep |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
f2b7e99557cee988b524bd2d2f8d377bafac5c0d25546caf506df8734c2578ce |
3 |
1 |
Potential Persistence Via Security Descriptors - ScriptBlock |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1f7de9310570e85851b78387f389d4afad2aec4f21a751de564e4d9dbe8ef806 |
3 |
0 |
Potential Waveedit.DLL Sideloading |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4c4ec335e3d6497145157f5feab27885dc6a95ae032af1e936e14e6ec130afc5 |
3 |
0 |
Potentially Suspicious Electron Application CommandLine |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ef3162002154dc7e276e27ac75c84e2115776de86e92e17515db41702b0254c2 |
3 |
2 |
Potentially Suspicious ODBC Driver Registered |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f7ec5b0533fdece79792bce469c843b6efc7bd40fd54811a5b3ba106ba6b29b2 |
3 |
0 |
Powershell Exchange Snapin (via cmdline) |
SOC Prime Team, Microsoft |
SOC Prime Threat Detection Marketplace |
1920836da8784b3f635f88d7c9216b6619a5f5613a5d53fefb342c817897a736 |
3 |
0 |
Python Spawning Pretty TTY on Windows |
Nextron Systems |
Sigma Integrated Rule Set (GitHub) |
eb6deecc46500c9d451a514915fe89928aa77232bbaff37b89ff9964febc2f7e |
3 |
1 |
Qakbot Rundll32 Exports Execution |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
312c58213f5112dced4d90fdbd5b3f6024663cf7b4c85b209ddcc69bc0a84857 |
3 |
0 |
Registry-Free Process Scope COR_PROFILER |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f566e9fbc25004f90a7c502406100ff744d00b85ad929d568a47872238e1af75 |
3 |
3 |
Regsvr32 Network Activity |
Dmitriy Lifanov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a9fd3d8b393121d910bdb6416807881b8e231fde412098c46594fc45821d23ce |
3 |
1 |
Regsvr32 Network Activity |
Dmitriy Lifanov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
e7df5abed193d7732536dcfeb0d58fbdfd844ab7c3ddd6186f9afa9ced7a6f61 |
3 |
1 |
Renamed MegaSync Execution |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
5ed404c9cabd248ba80d6d5852fc81ff9c668726a632eb06be9595bd5b80d869 |
3 |
2 |
RottenPotato Like Attack Pattern |
@SBousseaden, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
5389e8a683229a6fb7e29cc17dff4e0811d8239798f60128c6f63871d4bececd |
3 |
0 |
Schedule script as task |
Joe Security |
Joe Security Rule Set (GitHub) |
80a5b002421fe7261fe436fe34fde2f1e2a0b5b1d5fb7fee3b2afe02f76952ba |
3 |
0 |
Screen Capture - macOS |
remotephone, oscd.community |
Sigma Integrated Rule Set (GitHub) |
f4a2d13a06a29fbf2313f88753ab9955589a7aef45cfb0faea108c5bfac59ab3 |
3 |
3 |
Security Software Discovery - Linux |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
62a85e4a565b5b8609540a8aab58fbf730dd8330b219cb92da87bb5be582ebeb |
3 |
3 |
Sideloading Link.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d12dc80661a49ab922f3ed3b488e8a49f6edf53b777c918dc2f0b905b20d9bbb |
3 |
2 |
Suspicious Child Process Of BgInfo.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f927c3875e2266d2070993dea88e92da092e42fd5716dc5c8254d686fa0222a6 |
3 |
0 |
Suspicious Extrac32 Alternate Data Stream Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
908072bc38c223e94e034ac7acafdfda27359b429525af331f388a7ef0e2b66c |
3 |
2 |
Suspicious File Download From File Sharing Domain Via Wget.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2259e9f8814e4d6d8101a51d8c30fdf9734d413e0d7da0a3a122e607e3f1ebde |
3 |
0 |
Suspicious Plink Port Forwarding |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fd6a0f7521cf3dabf0d2ac45a1aed9f2e2029daa9d1fba9f71905bb34aa427ca |
3 |
0 |
Suspicious Set Value of MSDT in Registry (CVE-2022-30190) |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
08f4372e76fc0605c4e338fe71c656a918209c7ab03da84c96c5f8d99d4bc241 |
3 |
0 |
Suspicious Spool Service Child Process |
Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule) |
Sigma Integrated Rule Set (GitHub) |
2445eef8bbfc5d52245783f3d3a39b67d2a9e863e057b9710358f473c4a0d9ed |
3 |
0 |
Suspicious Use of PsLogList |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2a651ab66176323248a00a1c8f2e0c1d6e82ebbcb2c316bd3a1bce5391cc6b28 |
3 |
1 |
SystemStateBackup Deleted Using Wbadmin.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
9aae4742b47a403c0d2871d344a6076cd6b797a267bbe2d0b85e607927ef3dc9 |
3 |
0 |
Taskkill Symantec Endpoint Protection |
Ilya Krestinichev, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8cab8c8e34c5bf6c9ad0f509a28ebf3139e2d73c3b69078e57a1a63a0d5465f3 |
3 |
0 |
UAC Bypass via Windows Firewall Snap-In Hijack |
Tim Rauch, Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
6394e0e9f8661be1f0a1006d948fbd4f1430543e592ee7fb29a34a6c6fded839 |
3 |
0 |
Usage of Sysinternals Tools |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
1e33259c56ec61269739a1b6f2e7e13760703a505f60b194702ff716a6fe0fbc |
3 |
0 |
Use Get-NetTCPConnection - PowerShell Module |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e69f9e383811e595a9561c923eddfc5df48f9e54f4df8fa281fcef6b501048ac |
3 |
2 |
VHD Image Download Via Browser |
frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' |
Sigma Integrated Rule Set (GitHub) |
cc2b06ca0a290be229ec488dee7f065eb88793eebdff5809591bff7291d6da7b |
3 |
1 |
Vulnerable AVAST Anti Rootkit Driver Load |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e9c74d53713106fb02366cb62d020afa0660b87c13561de9c43553b46bcb0d06 |
3 |
0 |
WerFault LSASS Process Memory Dump |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
698bc272479b99ab8911efeb4b32e6de83a3fa47b310e5829ce6e8ff5702b1d2 |
3 |
0 |
Windows Defender Threat Detection Disabled |
Ján Trenčanský, frack113 |
Sigma Integrated Rule Set (GitHub) |
fd0a272556e2d962e1ecfb8d8fa8ab6f1d728c870db382b0b56dc04e7bf20317 |
3 |
0 |
APT 37 |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a5976bfe7c4ff52e5b70711a7444670a4f2d462e99bd30d3c6950495e32018ac |
2 |
0 |
APT27 - Emissary Panda Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
49512d886fa3e8d9595464c693fad4fb93dcbdbc537cda049dacce772f11f38f |
2 |
0 |
Active Directory Database Snapshot Via ADExplorer |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
43d5cafc2ab99baaf01e5514d320d214797cff1d52b8ad3336702522499ae5c4 |
2 |
0 |
Arbitrary File Download Via MSPUB.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a70e1836669aefe4c5a9b48179c7a3c4857505b87dbf8a3bb424d268fa80d857 |
2 |
0 |
Arbitrary File Download Via PresentationHost.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ffb4d3b820e87f926948fb36dd6a790bd67e547ee318bb322626148b736139f7 |
2 |
0 |
Arbitrary Shell Command Execution Via Settingcontent-Ms |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
1eb1f4796a2c05305c0e6fb961bac3fd02861464a7d6bc3d1a35461737101c81 |
2 |
1 |
Clear PowerShell History - PowerShell Module |
Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
2169a242b9139d712fde6f31781a606f5f50af9d5dd7474d415ae08a0cf96fb7 |
2 |
0 |
Code Executed Via Office Add-in XLL File |
frack113 |
Sigma Integrated Rule Set (GitHub) |
166571671ff0b50e7d6b641f7490790a2762897cb0cbbe9e2d489edb3d71010e |
2 |
0 |
Communication To Ngrok Tunneling Service Initiated |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
66c8b63b56d52c8e957113c3f77712e8f387682164afca0cd844ddf44255d5a1 |
2 |
1 |
DNS Query To Devtunnels Domain |
citron_ninja |
Sigma Integrated Rule Set (GitHub) |
254c09638219aa6696f2e2081c648d3dd50771345f11602b8537de5853d0534e |
2 |
0 |
Enable LM Hash Storage - ProcCreation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8c9b1d4e376bf1355fb498b17e20c342a11d72a3a856570a9b876c049aa9da6b |
2 |
0 |
EventLog EVTX File Deleted |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2b0d9d7e9525bf270536360deae4be670fd711eeb30bc51caa119fb9f61e3293 |
2 |
0 |
Excel Proxy Executing Regsvr32 With Payload |
Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) |
Sigma Integrated Rule Set (GitHub) |
368433c7157e0778f035c6c8b5a6cd0f273d860606bfa36f632144c7050b4c7d |
2 |
0 |
Excel Proxy Executing Regsvr32 With Payload |
Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) |
Sigma Integrated Rule Set (GitHub) |
769fe648255c0a237ee125f74d2685b54cf7799f6b5cffeae1f2fee47164091c |
2 |
0 |
Executables Started in Suspicious Folder |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
934747e347848f3bf5d2222f0c29c4c6e42831b94a6e0ce77ff40017e5f11fd2 |
2 |
0 |
Execution via stordiag.exe |
Austin Songer (@austinsonger) |
Sigma Integrated Rule Set (GitHub) |
c012b058c607c697ab3013783a9a418dd2b233fa1f22ea4f8160238a19c65577 |
2 |
2 |
Findstr GPP Passwords |
frack113 |
Sigma Integrated Rule Set (GitHub) |
6403688c88307224c6c37547c26a3634868d77d08502d77529f03daacc410a51 |
2 |
2 |
Fsutil Behavior Set SymlinkEvaluation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b479dbc5f99a688a740ef0586d12870ce1e3a4a5449727bcb3c11bb1510b6e8e |
2 |
2 |
Lace Tempest Cobalt Strike Download |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
030738beefd23cc9aa74c61d31df8c293d5a9200d3ef5aafb5c65d9dd6ecfdb6 |
2 |
0 |
MavInject Process Injection |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
f7232cef6ad5bca28b27340de367589ba9ef580c1abb6dd69d8f2005a6473a4d |
2 |
0 |
MaxMpxCt Registry Value Changed |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8d70e32bf8761ec29c3041975705f1e2fae75bceb86dc470f68fb5470998ebbc |
2 |
1 |
NTDS.DIT Created |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
390c3febc49c9a0fc552532f457e9efc5156bdceeafb613044d35aab29b7124f |
2 |
2 |
New DLL Added to AppCertDlls Registry Key |
Ilyas Ochkov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4bdead82e3a6a57ba296d62ccea3f3cd1086e50cb50a9b58540d3e065c5c756b |
2 |
0 |
Office Application Startup - Office Test |
omkar72 |
Sigma Integrated Rule Set (GitHub) |
d30a6ec556476631a5a9c60d8741c765b1c2e39b6c80bda1ad8bff961bbdae9a |
2 |
0 |
OilRig APT Activity |
Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
01364fb1c5ccb780456530afa742fccc7c5de42d1cbac829fd6f4c435888f499 |
2 |
0 |
Potential BearLPE Exploitation |
Olaf Hartong |
Sigma Integrated Rule Set (GitHub) |
edf3ca6a0c573fb6b3eae8a8a4a6dd129c1ddebc37dc457690fae45e9594a950 |
2 |
1 |
Potential Compromised 3CXDesktopApp Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ae1d35c3cca80cd7625db9f23535aeb938e4401d7c63e6a938329fb4c3ccf55b |
2 |
2 |
Potential Dtrack RAT Activity |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fbcabbd5b0fb4855de3b0bcf6bd58239facf0733ad46f2269ef540d344acb5bb |
2 |
0 |
Potential EACore.DLL Sideloading |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bae93e846c7f1124da8273ecf31e2f1ae30f1122c5f52d1eb649abe9138e34d2 |
2 |
1 |
Potential Initial Access via DLL Search Order Hijacking |
Tim Rauch (rule), Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
e6d0eea0a68b5abc52d30a4b096e43a13457c330945c48f0e430af2cc2e61bfb |
2 |
0 |
Potential Pikabot Hollowing Activity |
Andreas Braathen (mnemonic.io) |
Sigma Integrated Rule Set (GitHub) |
dfbd5340c469a9808e1924fb200f0b7bc6a8c9064e9f1f3f31aada63ba5a81f8 |
2 |
0 |
Potential Privilege Escalation Using Symlink Between Osk and Cmd |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8cbfa46e76433375262d4d1f1dc8b0a83074e3cd6f258685ddb5157686b1bf26 |
2 |
1 |
Potential Provlaunch.EXE Binary Proxy Execution Abuse |
Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
f004fe52f11323fd4e5294e8a42fcf163c1a8ae373c9be8ff16bd9aa0f8fc321 |
2 |
0 |
Potential SNAKE Malware Installation CLI Arguments Indicator |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
776160f093a30c394ee06208302af31972f09fa9e8f5c8513d5875805b1036fa |
2 |
0 |
Potential WizardUpdate Malware Infection |
Tim Rauch (rule), Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
f0965e89bec6836e03f26455041fec4e6e308a4db39383ef3ae83dbc3559b8a3 |
2 |
0 |
Potential appverifUI.DLL Sideloading |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8964e214caef205f5e328fb9bc48c38223b6d8e1d6491c5427230ce74c9e0904 |
2 |
2 |
Potentially Suspicious Network Connection To Notion API |
Gavin Knapp |
Sigma Integrated Rule Set (GitHub) |
9714bc1425872c757c1c3e386bccbb903df68beb44462bae73a91d08255201f0 |
2 |
1 |
PowerShell ADRecon Execution |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
8f33121f45ae912b9307a03c4dc5d5309016b47eb4b2d937c74e55cda019203e |
2 |
0 |
Powershell execute code from registry |
Joe Security |
Joe Security Rule Set (GitHub) |
22f5c0268236153aea7f17b7fcb4e9a2ef903343534a9c2a98b5c1f8918bb9a5 |
2 |
0 |
Powershell launch wscript |
Joe Security |
Joe Security Rule Set (GitHub) |
2daf820a836b6725473b0e6ef3075aff5f25c39f1613ea91e098fa179d7a30a6 |
2 |
0 |
Process Memory Dump Via Comsvcs.DLL |
Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
31766028cc56afd6db535a222ec9ffa3a26c485dcd759324e890434acf17a601 |
2 |
0 |
Ranumbot Trojan (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
9adcf2b748c0913ce46ec2734223045df982e2a86948b8740a48edd412720e70 |
2 |
0 |
Remote File Download Via Findstr.EXE |
Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b25ab86e0ba70b3af5d0a483821d7d39719e5572fd839640d5ae4c266df66177 |
2 |
0 |
Rename system process and copy to suspicious location |
Joe Security |
Joe Security Rule Set (GitHub) |
ae5e05ff7a2f5d6e654578b73a1ddc50baeec856b0ab003ad6852c80beb8b068 |
2 |
0 |
Root Account Enable Via Dsenableroot |
Sohan G (D4rkCiph3r) |
Sigma Integrated Rule Set (GitHub) |
9ed5a03fa44e591022f4c2ffac36da6526e31a9f00e09e00d3ff80c78dae0515 |
2 |
2 |
Rorschach Ransomware Execution Activity |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1dd22bc99ca7b86ddefd8510fd40122a8faa3a7929e23cb02ca34043f20435c8 |
2 |
0 |
Run Once Task Execution as Configured in Registry |
Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated) |
Sigma Integrated Rule Set (GitHub) |
a670267e081a215d8a32b1cf6cb799023ff0667dc9da2d474cf20a91e4f2a2cc |
2 |
0 |
Sofacy Trojan Loader Activity |
Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
c070e2f2f992c0ce37ed49db72f4c8ea1c3a9cc853e61535bd2625b5ae688b78 |
2 |
0 |
Suspicious Application Allowed Through Exploit Guard |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
29b522d95420783d0a63b55dbd3354b097998d44c509743818e59c058b508fba |
2 |
1 |
Suspicious Command Line Contains Azure TokenCache.dat as Argument (via cmdline) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
348e3e3f1264df658d94d7b48e449838ca835512c35891520db55b7b1f16160b |
2 |
0 |
Suspicious CustomShellHost Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
540a06a16bc10e1e472979a3ae3af251fd81638d7e2df1eca74f74a3c9bcdfae |
2 |
0 |
Suspicious Dump64.exe Execution |
Austin Songer @austinsonger, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
5b1f1b40ef6ce717bbb2c8bc6cae3ad4d4530c3d907caaf29c131d784777fc01 |
2 |
2 |
Suspicious Get-ADReplAccount |
frack113 |
Sigma Integrated Rule Set (GitHub) |
478761747645c9124bc13d30f52628821f5399cfaa18aa7299711991ff610f50 |
2 |
2 |
Suspicious Program Location Process Starts |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
c593fd1eac248d2f05a155e6c8ef2682b9022a12bc03104ff8e9e7c40f585268 |
2 |
0 |
Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
665e2dd3eae60ab7cd97ffda7adaa13425a564ed16f8bba8bcfc43b8a5023919 |
2 |
0 |
Suspicious Rundll32 Activity Invoking Sys File |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f4b9a5aba26ac1d465f55970b8defeab4a4704def7889e6c296b0f33cd1fad27 |
2 |
0 |
Suspicious Rundll32 Invoking Inline VBScript |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
40e3e97976c84f512b11ec485b8dc54ce731851327fe05beff6b567fdfe2b91b |
2 |
0 |
Suspicious Shells Spawn by Java Utility Keytool |
Andreas Hunkeler (@Karneades) |
Sigma Integrated Rule Set (GitHub) |
b7e93e0475f0c46a1c6bfd3f1f401e0a34bb9c8d73e2308101ed1368b5189de0 |
2 |
0 |
Suspicious TCP Tunnel Via PowerShell Script |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
404fde37527518c0d7cf90ad471c4252ad236b709821c13171d3cabefd1af2ba |
2 |
1 |
Suspicious WERMGR Process Patterns |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
993d5c8b52bb82b1de2604204add68928f1fe311e3072e4e053d6dfb969e33e7 |
2 |
0 |
Suspicious Windows Trace ETW Session Tamper Via Logman.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
780ed5be93f71a397b1b6c9d95912c0781c2ed9114eef8fc5aec854bf80b1f2c |
2 |
2 |
Suspicious X509Enrollment - Ps Script |
frack113 |
Sigma Integrated Rule Set (GitHub) |
77e34e5ddd682fec92906cbab4f1a75be4ca9f043f76d91925f61910a08af10c |
2 |
2 |
UMWorkerProcess Creating Unusual Child Process CVE-2021-26857 (via cmdline) |
SOC Prime Team, Microsoft |
SOC Prime Threat Detection Marketplace |
777e78408dd5e81cb40b0dd4b18dc729cd882538beac8337067e6a2ceb940493 |
2 |
2 |
UNC4841 - Barracuda ESG Exploitation Indicators |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ee7d4dbd9f33900a9a93c377bedcfab9cbc2a4baabbbd764d436f767635f603d |
2 |
2 |
Uncommon Child Process Of AddinUtil.EXE |
Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) |
Sigma Integrated Rule Set (GitHub) |
d07c0111ca994bb6ef90efc7d6bfcc5a20408747015d99a9bb8d5fd462868d91 |
2 |
0 |
User Added To Admin Group Via Dscl |
Sohan G (D4rkCiph3r) |
Sigma Integrated Rule Set (GitHub) |
053a1a9c29702a8132865b251a7d79230d06f3985fe5d8f799079ea3f6748912 |
2 |
2 |
VolumeShadowCopy Symlink Creation Via Mklink |
Teymur Kheirkhabarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3b5b0346a9d3b5b510bfd33a67662439c44419ada001c73160bdcc75d76b2d3b |
2 |
1 |
Windows Credential Editor Registry |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6ebbbc78481d8b5c75483ddb2c7045a006678cbfbd915c2e6d0c0e5d2dfb736d |
2 |
0 |
Writing Local Admin Share |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e62e7dc0b12394b319cbb70f3b434d86a1a4e97c05c4cf3939efba22e4c603c7 |
2 |
0 |
ADFS Adapter Process Spawns (via cmdline) |
SOC Prime Team, Microsoft |
SOC Prime Threat Detection Marketplace |
5b090817d20c98f190eec819a6c655b46a96324e58e3195a7f9c5e076fae6acb |
1 |
1 |
Access payload via nslookup txt record |
Joe Security |
Joe Security Rule Set (GitHub) |
67bf4076420cafbe2c3dc3fc86fdd91ae99b1405541272e1e5761f827675c619 |
1 |
0 |
AppLocker Bypass via Regsvr32 |
Joe Security |
Joe Security Rule Set (GitHub) |
2331619a69009fbe3cead24a909b7e9d42ffb14b71caa6d83ee04fce114b10eb |
1 |
0 |
Assembly Loading Via CL_LoadAssembly.ps1 |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
aa273ed357d9327c9c8131f9175a347aa2c8c8fa545e8642b56404eb76668070 |
1 |
1 |
Automated Collection Bookmarks Using Get-ChildItem PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
9fa49f4a1e9253459c99846a03ce69d8e029b42640efba5e158e2455b6c0f5fc |
1 |
0 |
AzureHound PowerShell Commands |
Austin Songer (@austinsonger) |
Sigma Integrated Rule Set (GitHub) |
d745e174b185bed59eeb7c26c061f86404d4a74607b523973b17ee01d22e665f |
1 |
0 |
Cerber Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
73c0a64c5562e339d22b6dd8487f58f08f817a078ee2d99fa508f2bcec9487d2 |
1 |
1 |
Certificate Exported Via PowerShell |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5d6cbfca798cb6cc7bd8029cf8dda1f2096f0f7f9a422bdde483cdc370a4ab12 |
1 |
1 |
Cloudflared Portable Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0df6b3969a48add8dac066e0fb800e67f9c0f718cc0e73bcb8530f3ba4834c15 |
1 |
0 |
Code Execution via Pcwutl.dll |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d893a429c2ce543e3a265b3794e1845676e899c8dab1ac888aca5607d9821ae7 |
1 |
0 |
Create Volume Shadow Copy with Powershell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
ef1d2531cf3919c8ed1ffd678acc8325c41225368f4add8ce5d727f9d4f742ba |
1 |
1 |
Credwiz util dropped by mshta for dll sideloading |
Joe Security |
Joe Security Rule Set (GitHub) |
47b76425766ceb0d5f71f5b737ae4660dc4fcaa91295131395a542596953ef67 |
1 |
0 |
DLL Execution Via Register-cimprovider.exe |
Ivan Dyachkov, Yulia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
dd9b6910a5e264c2b56a7a735f0cfc2cab9c341775db4a260bbadf7815d05772 |
1 |
1 |
DNS Query To Visual Studio Code Tunnels Domain |
citron_ninja |
Sigma Integrated Rule Set (GitHub) |
ef7875627109402da8f45dc9d58e5fa63734724bd100987579c6d36e1cb777ae |
1 |
0 |
DarkRAT Botnet |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
5157203e484dbfa217f40f7089460a4c6713e54ef44ca66a31ec7d5c820f0d26 |
1 |
0 |
DiagTrackEoP Default Login Username |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ef6b78708541778890f149b517c7191263263f7e3d08908ab5d2e6d2b370d91b |
1 |
0 |
Diamond Sleet APT File Creation Indicators |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ddd1dcf7e7fcf2883a62f25b86d45a03612f001c32620254eb246b8e78d07765 |
1 |
0 |
Discord client stealer (AnarchyGrabber) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d513011ab49524e73ae98c85b1f902158f55f0412551679d5acbb03eee68c4a3 |
1 |
0 |
Diskshadow Script Mode - Execution From Potential Suspicious Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fd45ac7bbd66ed6cff7101650b2d60441b34f3204588d1fa86847c84ab860438 |
1 |
0 |
Diskshadow Script Mode - Uncommon Script Extension Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b250de19a86e99fc74ff1e9c7318641cef02be674ed262872fc9366d3cd31b8b |
1 |
0 |
Dnscat Execution |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
c625578e8b4d44c52ee346e1df82116ed7e4896e4caad93d0fdb7fba487dbfdf |
1 |
0 |
Enable LM Hash Storage |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5fe89d5a63ca7908f9aa0183174c641eec6cff790082c2360a275ff0b3443c6a |
1 |
0 |
Enumerate Credentials from Windows Credential Manager With PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
0470d9b3a45f6fadd111284469ea5f0dc2a9e4cebf5973ac13ec483c7c1e072b |
1 |
0 |
Esentutl Steals Browser Information |
frack113 |
Sigma Integrated Rule Set (GitHub) |
bce05b02ed7bf1572470a2ea1548ecf7c62b4acf1b30aad45e3a0dfd7aaa010b |
1 |
1 |
Esentutl Volume Shadow Copy Service Keys |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
e49ec9683ea49e495920eaed6f515ba9a16d6329c30e123a1b7fb158f03004fc |
1 |
0 |
Execution via WorkFolders.exe |
Maxime Thiebaut (@0xThiebaut) |
Sigma Integrated Rule Set (GitHub) |
50d292f837567defe72f24a4b91ee437943cd8f35d5aedcf15979d3d253d38e9 |
1 |
1 |
FASTCash 2.0 - North Korea's BeagleBoyz Robbing Banks |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
4f4f4d2ef9741a90d68b3e1ca5439694604fc80bcb02c3cbde70096562cc6000 |
1 |
0 |
File Download Via Windows Defender MpCmpRun.EXE |
Matthew Matchen |
Sigma Integrated Rule Set (GitHub) |
0de6e296fdb440317bd15b3aa29b6d99b17b08dea792264888e93fa3c62f9514 |
1 |
0 |
File or Folder Permissions Modifications |
Jakob Weinzettl, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d1b3909fc498977f2008254e9e38903c16568e7a8aaaeb2eb0d1d4f155373408 |
1 |
0 |
Get-ADUser Enumeration Using UserAccountControl Flags |
frack113 |
Sigma Integrated Rule Set (GitHub) |
9aed66a645e706e68d91f5f6698e41f6dcbe96ba3a4c700baf46ab5dc42733f9 |
1 |
0 |
Goofy Guineapig Backdoor IOC |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
642912e64596ca5c6f18ce6dc495411e4cb44dd5a9f266dd6200a28758f293a3 |
1 |
0 |
HackTool - CrackMapExec Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3b089e7f895f7da0d05f361a5815b3fb843bf243e11174993b9d167b40cdd5ba |
1 |
0 |
HackTool - Dumpert Process Dumper Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4f4552b72d1fdf1daa9803088eabda70a1a8259d5eae424fcbf3b7edae985b63 |
1 |
0 |
HackTool - Impersonate Execution |
Sai Prashanth Pulisetti @pulisettis |
Sigma Integrated Rule Set (GitHub) |
ebaee3629e5eae35e0043057b3b0fccc4f2831eaadec57c3280dc181b3683c7d |
1 |
0 |
HackTool - Potential CobaltStrike Process Injection |
Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a95251178853987552aca691c7ec1d2e31c91213e0e11f80fd3e7789a1234894 |
1 |
0 |
HackTool - SharpEvtMute Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7f4ab47a48c30eefe0bd92c3fe92c7f2481803dfb5833689959c5f32bff77dc2 |
1 |
0 |
HackTool - XORDump Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4abc044da118e9866fcf5bc9e7da198eb9947cb37219f7a3b35126a70e5dbb60 |
1 |
0 |
Hijack Legit RDP Session to Move Laterally |
Samir Bousseaden |
Sigma Integrated Rule Set (GitHub) |
69573f6b1ce64e7122c33aec2473e20ddf52e90291907115ac5515a58660b7dd |
1 |
0 |
HybridConnectionManager Service Installation - Registry |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
6ba69204045297b2467cffd2d3908dc1588e213dfeaf62bb11c1778c9d93dcf0 |
1 |
1 |
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ada7805a558c75196a7ac0641a9aa087fd9074927fbf34b382103198130c318a |
1 |
1 |
ISO or Image Mount Indicator in Recent Files |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c900f66da95fa26372d3215d39bd89b49e90062a492f060cb46b92415f37ba3c |
1 |
0 |
Invoke-Obfuscation CLIP+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
96f143150cf12b082ad12ff80043a40ce507e50dbf6f4c6d68fb1f4f0cbe1771 |
1 |
0 |
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3481fdd9c7d7aa343ba20022ceec206525f19fda50c317ba5e59f6996102f4ce |
1 |
0 |
Invoke-Obfuscation Via Use MSHTA |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
9e9633eb15bfbbe3ed0b8c01989e6bb38f91bdcfe4de5867c801ab39f781cce6 |
1 |
0 |
Invoke-Obfuscation Via Use Rundll32 - PowerShell |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
c7fc78f9f9afd5b257d906bddd5224d85c22d33c73eb36c94c9ee19f427defb0 |
1 |
0 |
Linux Doas Conf File Creation |
Sittikorn S, Teoderick Contreras |
Sigma Integrated Rule Set (GitHub) |
827cb8c225f337fd4b3c18389b600f02afbfe9b6ac6bfd1781b69b08b1107a74 |
1 |
1 |
Live Memory Dump Using Powershell |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
843f3a30bd6700683442b21bbfb20c59afbc32cc978b84e9b713a85d39d8cc90 |
1 |
0 |
Local File Read Using Curl.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2113fad72506f5e6808672c78a935f15a15ee2ec5c1d8f8af047e87b6200397c |
1 |
0 |
LockerGoga Ransomware Activity |
Vasiliy Burov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0c0ba5aebd0db3facb25385b2dbdc2b2a34be391da1993bc8a02c689608fba16 |
1 |
0 |
Microsoft IIS Connection Strings Decryption |
Tim Rauch, Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
20a23b3742adf40aa55fbac8db826b73873b31aff8366fedd4147c3b646e2afc |
1 |
1 |
Moriya Rootkit File Created |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
4a9ddb920ad6eab5d240fd46b4a22a2839ea161414fab29fdcd567a468de9295 |
1 |
0 |
Mount Execution With Hidepid Parameter |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
033a287f5250bcca41748bd549bfd7ef1e178a7fcdfe57ec76157827609648d4 |
1 |
1 |
Mstsc.EXE Execution From Uncommon Parent |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7a00b39dfe303867f3d10fb5408cde9627f21a20a81e999a4a4580cf8e79fb2a |
1 |
0 |
Outlook Macro Execution Without Warning Setting Enabled |
@ScoubiMtl |
Sigma Integrated Rule Set (GitHub) |
2f07ac019282aa31e76811036780c9cb961d1b01262e2beeea4f9f7c17a906eb |
1 |
0 |
PSAsyncShell - Asynchronous TCP Reverse Shell |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c810fbc7a849c84715e0916659832d96fe910348f20d5fae1d5690787d8b4646 |
1 |
0 |
PUA - NirCmd Execution As LOCAL SYSTEM |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
40d85a90edfb89bec5045c66b822890370973192e8b0e6b11d87926d3c70c18a |
1 |
0 |
Persistence Via Hhctrl.ocx |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
619bfabcf9aaef1ece918445b19fedf232ff43505e0243efe19a4570d337eeb5 |
1 |
1 |
Phishing Pattern ISO in Archive |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2df698bbd801db84c12100296dbba0869a2e6936088abee3147315e5617f7fbf |
1 |
0 |
Pnscan Binary Data Transmission Activity |
David Burkett (@signalblur) |
Sigma Integrated Rule Set (GitHub) |
f85fc8e3b59a0650920e8626c3ab8f8e1aee6c2a45989f0048db72682e95717f |
1 |
1 |
Potential BlackByte Ransomware Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
84b39fa5fbd9d5726548c90280f53428562a3fef57fff40cbb48ae96cbd05757 |
1 |
0 |
Potential DLL Sideloading Using Coregen.exe |
frack113 |
Sigma Integrated Rule Set (GitHub) |
01fcc70fa597067bcc483ccdcc3b4008c92d1812ea8c77cdf86a2bd969164c8b |
1 |
0 |
Potential Encrypted Registry Blob Related To SNAKE Malware |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c7a9135a7495cc269f3b10cb8dab6dce6e5938a53d6fa118dbb6229069b5df38 |
1 |
0 |
Potential In-Memory Download And Compile Of Payloads |
Sohan G (D4rkCiph3r), Red Canary (idea) |
Sigma Integrated Rule Set (GitHub) |
000961bac8191e7ec977b21db664763efb7130c56f4cc8e908bfd4fd24f97824 |
1 |
1 |
Potential Qakbot Registry Activity |
Hieu Tran |
Sigma Integrated Rule Set (GitHub) |
2f9f70c567a86353fa5327024f1dfd5d91b237f3883d7158024bf18b7ae8010c |
1 |
0 |
Potential RDP Session Hijacking Activity |
@juju4 |
Sigma Integrated Rule Set (GitHub) |
9486aef25aa918db09425c70f1f87b5676acd4c8dd01ba9b61383b52607cfa1a |
1 |
0 |
Potential RDP Tunneling Via Plink |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
aae2c065eaa9be8624c572fea73afd6a811be26c3caaca6a0da56c0f62209c2b |
1 |
1 |
Potential WerFault ReflectDebugger Registry Value Abuse |
X__Junior |
Sigma Integrated Rule Set (GitHub) |
6d7e74ad7e7edec2929f2aad43e0edb6f0cf204988f5900030550826aa7cb146 |
1 |
0 |
PowerShell Execution With Potential Decryption Capabilities |
X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b54dd3eade714800b0c55aea4fbfe0f786ec6e18dfc8d92c7ea1110c22a65698 |
1 |
0 |
PowerShell Set-Acl On Windows Folder |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cbd27f1b0c7bf5664106f29f78225d4289d95c4885067397a12321e2a2e052b8 |
1 |
0 |
PowerShell WMI Win32_Product Install MSI |
frack113 |
Sigma Integrated Rule Set (GitHub) |
886a6cdfbfcbcfcde30e44f3ad1ba09800d648cd3e218d41751c49d0b38913e7 |
1 |
1 |
Powershell Add Name Resolution Policy Table Rule |
Borna Talebi |
Sigma Integrated Rule Set (GitHub) |
6a0480b5e9f46ad6fd17ff8a2c5a0d95cd8d48431fa85eb3e94646210033a9a4 |
1 |
0 |
Powershell DNSExfiltration |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a40151c9a2ec5e5671945aceabe6ad097c67f4d30456644230d8f9a37511a161 |
1 |
0 |
Powershell WMI Persistence |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d31a6afb995dab0473ccaefae327155cd4ba87afbabf6a872553475c50bb7182 |
1 |
0 |
Powershell delayed execution via ping command |
Joe Security |
Joe Security Rule Set (GitHub) |
9a4875b9a93f7ed6dd4f6259f58f0ff372f1351c267c6d112364a3064aeae82f |
1 |
0 |
Powershell run code from registry |
Joe Security |
Joe Security Rule Set (GitHub) |
09cf140e4816d8c5bcb37b98e996e455d8127cbccdf4287901654f824cf63f13 |
1 |
0 |
PrintBrm ZIP Creation of Extraction |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7a22f5dc1a6c3702cbafc1bf0a6cfca9d9afb689ba7155f9f0675dbc68698583 |
1 |
0 |
Process Access via TrolleyExpress Exclusion |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
98524990b8add9e2e1a7f6bda8a9d1789d97cf82993ffcead8c029681bdd155f |
1 |
1 |
Pubprn.vbs Proxy Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
6c22680943e5f2801362d1a1306680417fe8785a043fed54683a2ca7c75b3666 |
1 |
0 |
Qakbot Regsvr32 Calc Pattern |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
22cd867b42e046d6c867cb73d487647824bf02941580376e31862da525267f6d |
1 |
0 |
Query to GoToAssist Remote Access Software Domain |
frack113 |
Sigma Integrated Rule Set (GitHub) |
543100b86d56272595d663cd87539f09fb01e9ce06b5d847c2bc9ad88710b17f |
1 |
1 |
Query to LogMeIn Remote Access Software Domain |
frack113 |
Sigma Integrated Rule Set (GitHub) |
44c5e7c7bdc6965af0ddf07703f708dcda09e583e4c473d7b247067132a8704c |
1 |
1 |
RDP Port Forwarding Rule Added Via Netsh.EXE |
Florian Roth (Nextron Systems), oscd.community |
Sigma Integrated Rule Set (GitHub) |
70c15fe82eef73d893f59ec3589b484917b941f103c9c29048472576af7e8cc8 |
1 |
1 |
Rclone Config File Creation |
Aaron Greetham (@beardofbinary) - NCC Group |
Sigma Integrated Rule Set (GitHub) |
76a893bef53690d6ce9764427bd65300fe3d50440086afa77a1b15d3f777d9c1 |
1 |
0 |
Regedit as Trusted Installer |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
40b85d8543b5dc00f22211f0dd2f05012b435d38fd8e170370986c189a9b39f2 |
1 |
0 |
Remote Thread Created In KeePass.EXE |
Timon Hackenjos |
Sigma Integrated Rule Set (GitHub) |
c7b5dea156bee8e6c2b83c210e6135eea01b42f8c08ec3f18fd04046036bf973 |
1 |
0 |
Remote Thread Creation Via PowerShell |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
780e368b7c4c2665f3cbcc6184c03b9147726ab5239f4c01341cbc02775dafda |
1 |
0 |
Renamed PowerShell |
Florian Roth, frack113 |
Sigma Integrated Rule Set (GitHub) |
52606fbb97633e0a2c2581ff33bcb2bb212da3c00b02cbf971e5a0aa2f7b4cab |
1 |
0 |
Run CertUtil from suspicious location |
Joe Security |
Joe Security Rule Set (GitHub) |
d10fe75d3edfe38a67c070614eaf661fe0d608b0d0b81ed88ad9673766b25eba |
1 |
0 |
Rundll32 JS RunHTMLApplication Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
343b001a9d0d8504e1dad1dec564de589c763ce6c3c86ccf9ad3ec5835a3e879 |
1 |
0 |
Scarab Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c3b33a6ba821d844c3bfc5a217489aca877dc9bc6c76c84e4d8cabd6a320bd7b |
1 |
0 |
Scheduled Task Deletion |
David Strassegger, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
53299fc80451ec1c374dc7dcad4c9aee3f98bd1defb1b23e02900f2cf17d8c14 |
1 |
0 |
Security Tools Keyword Lookup Via Findstr.EXE |
Nasreddine Bencherchali (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
3979f492e85f1b955d588204a18591d00902657e2d09f9133ad0a2f5d07cafd1 |
1 |
0 |
Suspicious Cmdl32 Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
cf2baf60d63943d7200da28391b4e63298b2d186faf45b499b001ca84dc882ea |
1 |
0 |
Suspicious ConfigSecurityPolicy Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5b2e321b4ad7aa35a23d2181a655941dc96ea260435a6e1663158a7b2182a9fe |
1 |
0 |
Suspicious File Download From IP Via Wget.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8a77cbb3343b934b17b221810b1278ca68bd24144e2c569763803fe21e9983f4 |
1 |
0 |
Suspicious File Event With Teams Objects |
@SerkinValery |
Sigma Integrated Rule Set (GitHub) |
0afc8b40475b4a11fb033ab7f2b1a3a137953da821273c50bc1edc3839fcc085 |
1 |
1 |
Suspicious MacOS Firmware Activity |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
71c75c172863712967d00b928953180528e3cb3b663a1722518a9271c3538625 |
1 |
1 |
Suspicious Modification Of Scheduled Tasks |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2e8ac8f2b500adefbe25a5aea82f02f8c8fe15388666d33129f8fc614ca06821 |
1 |
0 |
Suspicious Outlook Macro Created |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
76f0ef9a1d3093e7922e73e38b050014d69a703c2cdb6aa842fe5fb1040cf4ce |
1 |
0 |
Suspicious Response File Execution Via Odbcconf.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0c2953b482652803753bde4e28362ae1679c638162190e47c40757d09d8910cc |
1 |
0 |
Suspicious TSCON Start as SYSTEM |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ef15288703ebef641a550ecf3efe69b3c2eae2d9d03b9828ebc27e4474bd138a |
1 |
0 |
Suspicious Use of Procdump |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
bf45bfecf2446b7f2b7904bc35a7006ea9bfae3e8ba4d6ab35dfcb00095b0b9d |
1 |
0 |
Suspicious ZipExec Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4299b17cc3fb6f5ed2bc90d612e461452723118f5b71a85231879dcf7c197ead |
1 |
0 |
Symlink Etc Passwd |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e6c712d0b47b9ca26b1493414298a9db2aa7d1a7a22ae1dd2bbe3d98be6ebccd |
1 |
1 |
Sysmon Driver Unloaded Via Fltmc.EXE |
Kirill Kiryanov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7729210ddf59514a2d5ae300b6b3c3cd9b836719c40091d770a3b08bef6d735d |
1 |
0 |
Tap Driver Installation |
Daniil Yugoslavskiy, Ian Davis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7bd4ba31d00dc2c285a409cd7939611accc6c2934992f8e9cd0ce8c32ad0c40c |
1 |
1 |
Time Travel Debugging Utility Usage - Image |
Ensar Şamil, @sblmsrsn, @oscd_initiative |
Sigma Integrated Rule Set (GitHub) |
f2baa9e77eedc1ad2bcabc55acff8e7d6273352d961c3bf3b07d58b3b7fd8bb7 |
1 |
0 |
UAC Bypass Using Consent and Comctl32 - Process |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
45716a61474d8af25ba7318e0bcc946490ebaf1a0ea6c9a73d6fa3d572e58ae6 |
1 |
0 |
Uncommon AddinUtil.EXE CommandLine Execution |
Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) |
Sigma Integrated Rule Set (GitHub) |
a3b213c5717136a83029dc1cdab2fdd22660f0c66db8fea94a7889db664af0ac |
1 |
1 |
User Discovery And Export Via Get-ADUser Cmdlet |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4e63c259cab70634dcce7fc3f41cbcc1cf49188d52de7590ab2f7a3aa6e47911 |
1 |
1 |
WINEKEY Registry Modification |
omkar72 |
Sigma Integrated Rule Set (GitHub) |
585081efe7df5aaf634ee8b6187b3f8adb0c8156cbcc8f25867ffec4654fc697 |
1 |
0 |
WMImplant Hack Tool |
NVISO |
Sigma Integrated Rule Set (GitHub) |
6b93b7bce89874009dd0ecb10a52f610736bcb6d33fe425d9295732660f6b7ab |
1 |
0 |
Windows PowerShell Web Request |
James Pemberton / @4A616D6573 |
Sigma Integrated Rule Set (GitHub) |
226bf9a98dfb94416c0f984ecfd7e566a55fd0efe2af4257055b1f1be1501377 |
1 |
0 |
Windows PowerShell Web Request |
James Pemberton / @4A616D6573 |
Sigma Integrated Rule Set (GitHub) |
2637f98feb69311f94822998eb3c8b8d217e6c5767e071536ca54f9da830e236 |
1 |
0 |
rundll32 launch mshta and run script from internet |
Joe Security |
Joe Security Rule Set (GitHub) |
529f06043b5ec852cb07ebe7880eaedad5dfcb5b041100dd85458b5ae5d43c1c |
1 |
0 |
(SIGRED) CVE-2020-1350 DNS Remote Code Exploit [via HTTP/Proxy Logs] |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
2c660e94b9dd36c78c57a2250c28533823a79106701103f8b2a662501cc2a379 |
0 |
0 |
(SIGRED) CVE-2020-1350 DNS Remote Code Exploit [via HTTP/Proxy Logs] |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
f45ee46c268733c28e2e456cd180b06976bca8e8fc0819a141d83778e7e6908b |
0 |
0 |
A New Trust Was Created To A Domain |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
f354ac1a99792012ceaef04ee732d816f1a2d9dee2e30492295b794811ed0e46 |
0 |
0 |
A Security-Enabled Global Group Was Deleted |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
bf3e787c52710338f2de4d60dc5d8c182f8014d194883f95053611e83cb06306 |
0 |
0 |
AADInternals PowerShell Cmdlets Execution - ProccessCreation |
Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b16d67523f0579e7a519f3728bfe10cb26d5526cc90e1b975b33341e51ba7854 |
0 |
0 |
AD Groups Or Users Enumeration Using PowerShell - PoshModule |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a205be34057679bd055b1f3cb3fd18d4d31f2b0bd776288ccba6be10b5a818e0 |
0 |
0 |
AD Object WriteDAC Access |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
58cec962c267e019fa838d36e02695d7254409214165d3ac1363b49e8711131a |
0 |
0 |
AD Privileged Users or Groups Reconnaissance |
Samir Bousseaden |
Sigma Integrated Rule Set (GitHub) |
14cbefe2ccc7618cf17e2c9b92743b97fbf394277a7c17c58ebb3d942aa0a0fd |
0 |
0 |
ADCS Certificate Template Configuration Vulnerability |
Orlinum , BlueDefenZer |
Sigma Integrated Rule Set (GitHub) |
6d83e2c5d3c8dd6baf3897d1fcfef08e8e7745f60a8712ff35acc679d26b2db6 |
0 |
0 |
ADCS Certificate Template Configuration Vulnerability with Risky EKU |
Orlinum , BlueDefenZer |
Sigma Integrated Rule Set (GitHub) |
145c680f84c610717ce0f64126642e2075071657c6b04077e58c08042f45b3dd |
0 |
0 |
ADFS Database Named Pipe Connection By Uncommon Tool |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
4066789e2f52a62b211079b31d3fecc622acde6f0aab1c5127584333f498102c |
0 |
0 |
ADSI-Cache File Creation By Uncommon Tool |
xknow @xknow_infosec, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
39b6e2d47cbb2139a0b088fb0f338071749fe923d01346e457f7ba2b0371e1b5 |
0 |
0 |
ADSelfService Exploitation |
Tobias Michalski (Nextron Systems), Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
adb52649fba655a7c618328f8a47138b0829cd7ee3ff23c599542d6103b29a92 |
0 |
0 |
AKO Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
bb075da0c850b7587ce9434aef02a948171b3545ebd0914125d7f5fe4fa590dd |
0 |
0 |
APT 37 |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
2c9099b138fc55d5fdb1dce07ff366a656ee06b6ff8dd57d238ce00e61809e4e |
0 |
0 |
APT PRIVATELOG Image Load Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
396dd003148797c25c2cb63e8f2c6e0b3973ed37675f9c214f6a40a269c94131 |
0 |
0 |
APT User Agent |
Florian Roth (Nextron Systems), Markus Neis |
Sigma Integrated Rule Set (GitHub) |
e2b73603c9441b256be9bab1ccd758407a6d6470859f0f6cb838ff2eadc08006 |
0 |
0 |
APT29 |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
976e44f1ea7fa22eaa455580b185aaa44b66676f51fe2219d84736dc8b997d3e |
0 |
0 |
APT29 2018 Phishing Campaign CommandLine Indicators |
Florian Roth (Nextron Systems), @41thexplorer |
Sigma Integrated Rule Set (GitHub) |
8f2c777b3dc85aa4c4663fc4de3a1d8bd273ea3506fd8481a76de1a0ffb2c6b4 |
0 |
0 |
APT29 2018 Phishing Campaign File Indicators |
@41thexplorer |
Sigma Integrated Rule Set (GitHub) |
120841a228484caff2f660319625b672d8b268d649f0522d99d2a59c6c60f3b3 |
0 |
0 |
APT29 Google Update Service Install |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
34f4cff056f24abe91bb29dc04a37ee746a4255101a21724b9ff28d79785247a |
0 |
0 |
APT29 Google Update Service Install |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
e6247b8fe178e47b7e98f318da90608dc7aaf94fa99fe8e933f0a05b6498bdb4 |
0 |
0 |
APT31 Judgement Panda Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
79e0e41a4f427cdb7337c02f6d2bf2f18272a145bf619561b749dc623133dc88 |
0 |
0 |
APT40 Dropbox Tool User Agent |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
572ac9027db60bae5654b7a9bc5d58e315db0810b08d8142c6db54f5e9e7ed24 |
0 |
0 |
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
1d0bd876f993864d8a65e33ce45e152f3e49063e858a74169b77923d673483a8 |
0 |
0 |
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3f84ecf411a71bd8d115a14303c8eac0baf1a7d57c27f81e99c78b2bff51f3c5 |
0 |
0 |
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a84e26c881c97617cb1fd0ca767f6c6a6aef9dc2b22b7c5346b71449a2bb5bbc |
0 |
0 |
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d51a28a580a981a8c30c17c8985ac1d2bb9187f6dd4a55cf24b6f0c4cfc4c1f4 |
0 |
0 |
AWS Attached Malicious Lambda Layer |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
0650616005d1cf25b22be420f69ef9f6271137f0d29697a56f3346877ffd37f8 |
0 |
0 |
AWS CloudTrail Important Change |
vitaliy0x1 |
Sigma Integrated Rule Set (GitHub) |
4ef2dc5f6a20a823034706154832eb2b6caacbdd7526d5f72b41b87b661c18b9 |
0 |
0 |
AWS Config Disabling Channel/Recorder |
vitaliy0x1 |
Sigma Integrated Rule Set (GitHub) |
1ca012603accfb34b464b1a408012216374690743be9979de051b99b95859e64 |
0 |
0 |
AWS Console GetSigninToken Potential Abuse |
Chester Le Bron (@123Le_Bron) |
Sigma Integrated Rule Set (GitHub) |
09f310f17532829d1465eabe4b36307020b5ece377e1b1783403c036fc148722 |
0 |
0 |
AWS EC2 Disable EBS Encryption |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
7cc31b5a6e3bb9dfe917930e9cff98c24e1477f39b93c17de733f572469e6746 |
0 |
0 |
AWS EC2 Download Userdata |
faloker |
Sigma Integrated Rule Set (GitHub) |
52870d4d2756b6f3dde8066072d0df3fffc2208a2f13a11ad8dda6663fc6c12d |
0 |
0 |
AWS EC2 Startup Shell Script Change |
faloker |
Sigma Integrated Rule Set (GitHub) |
839d04c92bee18b43af5b78244d9a121efb5f27e4eebc842ae6c62a6c9e4b4f3 |
0 |
0 |
AWS EC2 VM Export Failure |
Diogo Braz |
Sigma Integrated Rule Set (GitHub) |
510922d4a963b58fd4765ade7ccec8ec0d323813387711be4acd2577afcd50d5 |
0 |
0 |
AWS ECS Task Definition That Queries The Credential Endpoint |
Darin Smith |
Sigma Integrated Rule Set (GitHub) |
fc4d896380c961454c0e4e2298b4b42f7da55011348cdbec3ff9a56ba169b7a0 |
0 |
0 |
AWS EFS Fileshare Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
320cb5ec91c7d2c86ae27ee1a995b6a6fad692c4dd4716db1bddc009cef68f24 |
0 |
0 |
AWS EFS Fileshare Mount Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
557ffbb2dc96ead10718f0ce8e23abbd4520126cb5eb85b94b8f3d19e7ff6442 |
0 |
0 |
AWS EKS Cluster Created or Deleted |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
633e9cc212d624837b46fa0381b5cb0f70e8a41bb219ae76550b862d16340cc1 |
0 |
0 |
AWS ElastiCache Security Group Created |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
82c9482509e59596843bf9c369a8a818e8248c0b8cd43217762ccd4546d5471e |
0 |
0 |
AWS ElastiCache Security Group Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
886c07a825a6d3bd1d71d9238ecd1c47fe341acccd997dfca9df6d55d0ce1924 |
0 |
0 |
AWS Glue Development Endpoint Activity |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
535cda9e5250683c27341783e572cb03b5946e3a3930ed6e7ec71fb51411adc6 |
0 |
0 |
AWS GuardDuty Important Change |
faloker |
Sigma Integrated Rule Set (GitHub) |
315526975358ad2d0fa1b5c44442eda68a1a8a523b0c894de935ec21708b66ab |
0 |
0 |
AWS IAM Backdoor Users Keys |
faloker |
Sigma Integrated Rule Set (GitHub) |
8ccb5db92041ee60e6fab70bedfd8e59fb916edc1226612863ffd244a78e453d |
0 |
0 |
AWS IAM S3Browser LoginProfile Creation |
daniel.bohannon@permiso.io (@danielhbohannon) |
Sigma Integrated Rule Set (GitHub) |
437d0bc43652ceda0aa87573bbb94c3a919d6866b644ea5935d46f515145fc48 |
0 |
0 |
AWS IAM S3Browser Templated S3 Bucket Policy Creation |
daniel.bohannon@permiso.io (@danielhbohannon) |
Sigma Integrated Rule Set (GitHub) |
7049949eb6250edfdaff9c6f6f75c3553d4b1881214da41a939e993bd88d9f2e |
0 |
0 |
AWS IAM S3Browser User or AccessKey Creation |
daniel.bohannon@permiso.io (@danielhbohannon) |
Sigma Integrated Rule Set (GitHub) |
5db3d37986abefcf6bf627dfa9d9830a3ac1571749b330980a8124cb7f10ab81 |
0 |
0 |
AWS Identity Center Identity Provider Change |
Michael McIntyre @wtfender |
Sigma Integrated Rule Set (GitHub) |
dccc6f68a8c5bf874a96b9f05101b5b2d8dd8c2a7c433bfdc35d5e347da2d64b |
0 |
0 |
AWS Lambda Function Created or Invoked |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
3bf7f1b2fd7fe897356a4416891664478c352bcff4a562abbb4e29d59be58cad |
0 |
0 |
AWS Macie Evasion |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
2caf12ef20a741df57dbd3af15b2018c587c7143520a8c077a4fb25e6dd8d75e |
0 |
0 |
AWS RDS Master Password Change |
faloker |
Sigma Integrated Rule Set (GitHub) |
5ce71a8dd2051186eb3bc827687f0161dcd856a3aa78737ffc610f6040d4166c |
0 |
0 |
AWS Root Credentials |
vitaliy0x1 |
Sigma Integrated Rule Set (GitHub) |
9a3dad9567f385fd12f06417761f939eaf3bc223c50daac4c997e6f50f690b0c |
0 |
0 |
AWS Route 53 Domain Transfer Lock Disabled |
Elastic, Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
91af3f000e86d4d90b8e282d15d62993f5d5ca87f5375dee075988c20a572c22 |
0 |
0 |
AWS Route 53 Domain Transferred to Another Account |
Elastic, Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
79dd906114c4b150b65cf759c1c0d1d83d74766afc2feb337b08ee12e340a013 |
0 |
0 |
AWS S3 Bucket Versioning Disable |
Sean Johnstone | Unit 42 |
Sigma Integrated Rule Set (GitHub) |
3cc53b253ecc68b55a375ab2fbac3f07dbdfab032ee9f12b7c3083e5969872bc |
0 |
0 |
AWS S3 Data Management Tampering |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
14d9fe2befc885c1ed6ef46a55bc25f96407917c2385e324b8515b53a65d4b36 |
0 |
0 |
AWS STS AssumeRole Misuse |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
ab071ff54304ef514871c1e84cc731ded005fa0ccda3b66616554a41d88efa5e |
0 |
0 |
AWS STS GetSessionToken Misuse |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
6994df5208389be2d74373903274ef547c51d5eed02015e25e143b1932795aef |
0 |
0 |
AWS SecurityHub Findings Evasion |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
4e8ffcd6780ba56d1f2fa59f77317ebf859a2bf43c4be7719f81b9e03dd5c83d |
0 |
0 |
AWS Snapshot Backup Exfiltration |
Darin Smith |
Sigma Integrated Rule Set (GitHub) |
5a500ea597b28e994e29f0847cdbe9dc1abe44d081a8453bbb371eec0bb74180 |
0 |
0 |
AWS Suspicious SAML Activity |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
173a650247a0aa08e4f7d1fbb1ab2154526c9f23e45d9bbfaab1313385bc23ac |
0 |
0 |
AWS User Login Profile Was Modified |
toffeebr33k |
Sigma Integrated Rule Set (GitHub) |
943930b25869dfad30c94e1eec864e899816b0d8b783767e1940cd6e0138d53c |
0 |
0 |
Abusable Invoke-ATHRemoteFXvGPUDisablementCommand |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1ed460e3d1d675508d6550ae97b5b02fb7d2a41633cf104dd13ec5e3898fb4d8 |
0 |
0 |
Abusable Invoke-ATHRemoteFXvGPUDisablementCommand |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3f23a6c297c45d5a9d63d790d48c7f197bedbf2e2a62d28b67dec7a5a79e3196 |
0 |
0 |
Abusable Invoke-ATHRemoteFXvGPUDisablementCommand |
frack113 |
Sigma Integrated Rule Set (GitHub) |
aa47fee25ec87cbc15062b8d3f7e0acb8e38a64de307365aeec8cfbe02f12c8e |
0 |
0 |
Abuse of Service Permissions to Hide Services Via Set-Service |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
44099719049070f990e032a6707550adf96a4eb8cdfdb10f3f37381678c18ccd |
0 |
0 |
Abuse of Service Permissions to Hide Services Via Set-Service - PS |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
de5075c9666beb50edc776fa77e0615b1a9eee5a4ca639b4f9dadfa59d3ff764 |
0 |
0 |
Abusing Azure Browser SSO |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
3a3618c16315d61e28176798a3bb0420bd03a4732de42920b67e1c038effc0cc |
0 |
0 |
Abusing Print Executable |
Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative |
Sigma Integrated Rule Set (GitHub) |
f96e4beae00ea6ddb52dd039e1527892e6c52cdc577988ec8e7730fd3b4cd9a7 |
0 |
0 |
Abusing Windows Telemetry For Persistence |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
215ab0e3f729db474131b73eb9950bd1decd0ab51c4d221a489c48004d3684e0 |
0 |
0 |
Abusing Windows Telemetry For Persistence |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
37508447092b61198dba6c2077887c7bd32c0396716095cb8e25593a16b30929 |
0 |
0 |
Abusing Windows Telemetry For Persistence - Registry |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
29f4b4ab96f93520895ca3d47ccf106f5a6fecadf74906d79a302829883cd114 |
0 |
0 |
Abusing Windows telemetry CompatTelRunner.exe(Audit Rule) |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
879510fbd52dc559762564e9dcee6b800c7ebe8846c237911775cf3f6d8d3cd9 |
0 |
0 |
Abusing Windows telemetry CompatTelRunner.exe(Sysmon Behavior) |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
18fa931666e2ae680fb1e0dcec0ba06dadd31ca6b52d9c619bb42fca8b7d7048 |
0 |
0 |
Access To ADMIN$ Network Share |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9b8b6fde8104ca3626c27c746a6e6e07d3f8c89905e685f9a05cb5f6f4edc379 |
0 |
0 |
Access To Potentially Sensitive Sysvol Files By Uncommon Application |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b38d0b5e0083ed5d0257c1cdbbbeb87d20d542cbfae2fd1c6f21a4fc2f16a035 |
0 |
0 |
Accessing Encrypted Credentials from Google Chrome Login Database |
frack113 |
Sigma Integrated Rule Set (GitHub) |
51e8e5e690970ad68d784525926120f9a5afde96ebd20253e92cea0d07d54399 |
0 |
0 |
Accessing WinAPI in PowerShell for Credentials Dumping |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
a683beca7674cad333d64a1ffe5ac971414b265f15a99e2f9d2c7ff967cc2fe2 |
0 |
0 |
Account Created And Deleted Within A Close Time Frame |
Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
2a8a66e18503e4b2c237bf255508bf585dcac87a732728cbbcd511bdd1ff7358 |
0 |
0 |
Account Disabled or Blocked for Sign in Attempts |
Yochana Henderson, '@Yochana-H' |
Sigma Integrated Rule Set (GitHub) |
82398e3143a953cf8bf5e000c262201372c12f810b17f62d62c997beddd83dff |
0 |
0 |
Account Enumeration on AWS |
toffeebr33k |
Sigma Integrated Rule Set (GitHub) |
c2d1da71047d12f3e9e82a9b10ae31b7f37c8a89483a537c7049c6f83abd4cb0 |
0 |
0 |
Account Lockout |
AlertIQ |
Sigma Integrated Rule Set (GitHub) |
1fe55c2a4747185813415dd5f4e3e497c4f1fc14e546ea9fe496f104438a0870 |
0 |
0 |
Account Tampering - Suspicious Failed Logon Reasons |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5589ef9f2fa4b4fc38d9e2634cb65b59cc829a86599e808fda10586d97094d5b |
0 |
0 |
AcidBox Activity |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
7036d84b791069d70f9a381859bbfdaf7d37a698a47948b343a49a64ab652cce |
0 |
0 |
Active Directory Certificate Services Denied Certificate Enrollment Request |
@SerkinValery |
Sigma Integrated Rule Set (GitHub) |
7cd952b012e16e337e58b561bc42a1bbc8df8fa5d5ae9545ea7da49588d5a227 |
0 |
0 |
Active Directory Kerberos DLL Loaded Via Office Application |
Antonlovesdnb |
Sigma Integrated Rule Set (GitHub) |
a2eee7390841d2713ce09ab45175d989688027fe2141938274b88a1dfe11b75c |
0 |
0 |
Active Directory Replication from Non Machine Account |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
db12e3072dac7d4a4e8f67282fbba19b12ef761b40ea26359caeec8051cefcd2 |
0 |
0 |
Active Directory Structure Export Via Csvde.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
695199c448d3b12a58e3752401bf07e8b2e547d6efe0e6149ba8d32748ca9966 |
0 |
0 |
Active Directory Structure Export Via Ldifde.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1c98f725d32ca2cd92f710aa97272bf68fc96ad54e57d2d1ca4444e8c95bc7cd |
0 |
0 |
Active Directory User Backdoors |
@neu5ron |
Sigma Integrated Rule Set (GitHub) |
b0cd1653d4d8f0519ad99bcf040b2db9dd835f2df6daa9087c3e4e0a13beb319 |
0 |
0 |
Activity From Anonymous IP Address |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
4b5953885124610db6a2753fe567794515d46b1a767d821523e7f64e2dabb37e |
0 |
0 |
Activity Performed by Terminated User |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
02b84310ae0b2a94f86e5369d7ec39f1a701aed32bc6728b909b446f929745c1 |
0 |
0 |
Activity Related to NTDS.dit Domain Hash Retrieval |
Florian Roth, Michael Haag |
Sigma Integrated Rule Set (GitHub) |
36868991a76ff137e30dea5f77cced4da2254db444c41aa5f83cc7ba6b8fed48 |
0 |
0 |
Activity from Anonymous IP Addresses |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
efecf6d62b61312f886723f752a5c2ee5188a1bac0ee585294f03e08291d66b8 |
0 |
0 |
Activity from Infrequent Country |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
b9be4401ecfc9259f3e9b16e77573b0abed2cf0df93e746abce40e64e7cea7d4 |
0 |
0 |
Activity from Suspicious IP Addresses |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
c020af8eea2544a4fee04ed5143d696c1224c429b3a7871cc87b00b8d5c6cc8f |
0 |
0 |
Add Debugger Entry To AeDebug For Persistence |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4d9fecbabddea65e4e2c196b0377faa0c800a01ae4b90d37503e8e59aca0844c |
0 |
0 |
Add Debugger Entry To Hangs Key For Persistence |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4efb3c3203a4753b90d62be615436fbd2c115d65169098494cb312184a25c564 |
0 |
0 |
Add Insecure Download Source To Winget |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
69a1d86d6744047fb3da5e8d6658a659166715e107e7410172091d94fa935e4e |
0 |
0 |
Add New Download Source To Winget |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4e66bd1dd5fee57f4ffe2ecf83a8243471e8dda3f75ccc5321ecf5e8bd5497d5 |
0 |
0 |
Add Potential Suspicious New Download Source To Winget |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2c1d246414b6774711179081e13ab823b6631ddb09a24e701d4c5878e6c8e37b |
0 |
0 |
Add or Remove Computer from DC |
frack113 |
Sigma Integrated Rule Set (GitHub) |
03210cc4570a84f3b468c8ee247567289fab5fdb4708b2818749e054268a37ae |
0 |
0 |
Added Credentials to Existing Application |
Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' |
Sigma Integrated Rule Set (GitHub) |
76dbf85ce46cb957c64f0c64aec7bdf0c8e0a69603d808ac7f3607c24dbe7616 |
0 |
0 |
Added Owner To Application |
Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' |
Sigma Integrated Rule Set (GitHub) |
10d9f80cd3b66a46c4b6914ee1f2de614ca2643c9c8d42baa1215bd4b6cdf58f |
0 |
0 |
Addition of SID History to Active Directory Object |
Thomas Patzke, @atc_project (improvements) |
Sigma Integrated Rule Set (GitHub) |
d755877a01e9e73bfd7efde3363de1b7976022aad16110c5a4b2995a9f8604f2 |
0 |
0 |
Admin User Remote Logon |
juju4 |
Sigma Integrated Rule Set (GitHub) |
ba345e8f98204602e6652f9d41bec21ffed8e55fe558a98315201eec3993eefe |
0 |
0 |
Advanced IP Scanner |
@ROxPinTeddy |
Sigma Integrated Rule Set (GitHub) |
1e081f4ac10fa7ca5c1322255b4569d35b221c6b54e93ab5bd06bd891b690755 |
0 |
0 |
Advanced IP Scanner |
@ROxPinTeddy |
Sigma Integrated Rule Set (GitHub) |
5fbf642a60f85b04f337ffeb9e377bf01fbe1ca8b9325ead915068bbec2ec06c |
0 |
0 |
Advanced IP Scanner |
@ROxPinTeddy |
Sigma Integrated Rule Set (GitHub) |
654d8ac633b50e98138bcb448019dd2fcb8c0384ae47263728f8b4fd84b8ba98 |
0 |
0 |
Advanced IP Scanner - File Event |
@ROxPinTeddy |
Sigma Integrated Rule Set (GitHub) |
946d2bbdd10c544f6435f9b58d066f0d418f7bf78478848e179abdd8b5ec19b8 |
0 |
0 |
Adwind RAT / JRAT |
Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
29d8efa02d53ac611d0b491bedaddbcd34e06668c553dd702b761afceca6d91c |
0 |
0 |
Adwind RAT / JRAT |
Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
40b38a30ad910fcc157b48f5890f35898cc92ae17559bda1764e434dfc37c1d4 |
0 |
0 |
Adwind RAT / JRAT |
Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6b74b152297fb45850c046a229ca64920ee9d973e33fdb61c3954a849baa882e |
0 |
0 |
Adwind RAT / JRAT |
Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
9a837c56dc81ffe30b3cbb46efbb5eaef5933b049b212514e9bb4380f12623c0 |
0 |
0 |
Adwind RAT / JRAT |
Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
e1d3ef681f53390850fb5bcd89f8d9388eebce85673fe6b8f766bd596275003d |
0 |
0 |
Adwind RAT / JRAT - Registry |
Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
2430fe9fd6e24946c8534bace62f59a139bd0871a15e594408a81134d905d1c3 |
0 |
0 |
AeDebugProtected Reg Key Persistance |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
a3febaea6fa1eefc8642f7d848d0b2d4f2b70c0359fa395d9e8ee921c218b36d |
0 |
0 |
AgentExecutor PowerShell Execution |
Nasreddine Bencherchali (Nextron Systems), memory-shards |
Sigma Integrated Rule Set (GitHub) |
bdfecd34e78aae683a75a4a2ea4412bf84cb14ba9fb9fac298724228723ad016 |
0 |
0 |
All Rules Have Been Deleted From The Windows Firewall Configuration |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
de3c3a1f1f885a99189003961c40507ff50155075f1847683580c0391eca48c6 |
0 |
0 |
Alternate PowerShell Hosts |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
66d3c05927db71e9d8760c5353ef8a161521b446c0b6cb8ea538a081d2d15e8f |
0 |
0 |
Alternate PowerShell Hosts |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
b98a87132b8f25c1b28f308d62a1f37edb6a16c239e5d98a314a15853193b18c |
0 |
0 |
Alternate PowerShell Hosts - Image |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
1ff53e9fd6749954464f3ac22171fc115796cbc09d5ac9331d6db4cad674287e |
0 |
0 |
Alternate PowerShell Hosts Module Load |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
0b70b2266832f57d7fcd62d232b3b469d8788c9a97ee87dfac1147dbd08533a2 |
0 |
0 |
Alternate PowerShell Hosts Pipe |
Roberto Rodriguez @Cyb3rWard0g, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
ba100a757ed85b5b1b191f9aa12c8123ef59a9afd99c6cb8fdaeb4f7bd4e12fa |
0 |
0 |
Amadey Botnet detection (TA505) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
472362d8dcad8c26a75836b16e7f1e1fa272f614affc2dd864632b8a3af7e12f |
0 |
0 |
Amadey Botnet detection (TA505) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
cec4465383805716c59e96f51fd252bb21a3cba08cb59dfe0e21d49eaaee228a |
0 |
0 |
Amadey Botnet detection (TA505) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
dabd120c240b719397478da50d0bac817e3ab6b120221b5c78ba3d5e42143637 |
0 |
0 |
Anomalous Token |
Mark Morowczynski '@markmorow' |
Sigma Integrated Rule Set (GitHub) |
b846a74a031dddc8eb999ae718960dbdc1ebd083e2d74d1b3cb128e93732595c |
0 |
0 |
Anomalous User Activity |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
64bd84282a8aeb94417f4f19c1ee558b99343dcbd297434cb6ea671307569a58 |
0 |
0 |
Anonymous IP Address |
Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
2caa74eef36a842c955ee17e24b80f472a4be38dcc379c3b068528ed8a23adc7 |
0 |
0 |
Anonymous User Changed Machine Password |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
5262477d283c94c8a282e110700640abccc3d50d92a485af02adb2a0ed079358 |
0 |
0 |
AntiVM |
Joe Security |
Joe Security Rule Set (GitHub) |
53c56007ae94680c26786bcd895d2087db975d72635c0646c8e0ee8b2ca6539b |
0 |
0 |
Antivirus Exploitation Framework Detection |
Florian Roth (Nextron Systems), Arnim Rupp |
Sigma Integrated Rule Set (GitHub) |
b74dd119e6b8a4b8160d85ec696dd1b8f9d9990a6eebdc5abee1ce10d635d8fa |
0 |
0 |
Antivirus Hacktool Detection |
Florian Roth (Nextron Systems), Arnim Rupp |
Sigma Integrated Rule Set (GitHub) |
c199a1ab724951efd7b45265fbdd55c15874411108f51d080ff79caf07509ed8 |
0 |
0 |
Antivirus Password Dumper Detection |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
26728f84df236571280d6d8d3ec2ef0250723676cf344e0e4b29b397901037d5 |
0 |
0 |
Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection |
Sittikorn S, Nuttakorn T, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
22284a04af59d3dfb90caff89d34cb8f366f73553f1aa99101a46e88e4200b71 |
0 |
0 |
Antivirus Ransomware Detection |
Florian Roth (Nextron Systems), Arnim Rupp |
Sigma Integrated Rule Set (GitHub) |
8d8c06ae6c280fb5c26f506a8eadadc666e6b8a4b115fb8c68decf1202868f19 |
0 |
0 |
Antivirus Relevant File Paths Alerts |
Florian Roth (Nextron Systems), Arnim Rupp |
Sigma Integrated Rule Set (GitHub) |
a3fdf9ece7053d2030dc642bd2eb70cd4c3a3e45f7939313db5d59ae6fec42db |
0 |
0 |
Antivirus Web Shell Detection |
Florian Roth (Nextron Systems), Arnim Rupp |
Sigma Integrated Rule Set (GitHub) |
0abd8831aa5efdcfa40c619dadeb24d85fa74d097fa44e68d639accddb2a7e70 |
0 |
0 |
Anydesk Remote Access Software Service Installation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a74b000fa65a105160edaf2cea082befdfd07389b3d81378fd43cd6abf3a94b0 |
0 |
0 |
Apache Segmentation Fault |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
723a6621f9b140b510c7f46523b33c69c2beb3f9e824516e07e5bb83aa5b0d26 |
0 |
0 |
Apache Spark Shell Command Injection - ProcessCreation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
245d51be14a6aea8247e090ed8bccd7ff1343a69fe3e5ac425960f84c6c0d629 |
0 |
0 |
Apache Spark Shell Command Injection - Weblogs |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6049b3cd09fadec41e58f1373307e089bec9fc104540bffcab8d389ffd26e28d |
0 |
0 |
Apache Threading Error |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2210d9229d212ebd79a69712d72ae5590caccd7f8c47f91331c431e3394f87ce |
0 |
0 |
App Granted Highly Privileged Permissions |
Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' |
Sigma Integrated Rule Set (GitHub) |
f5c2edfa4568095138a74e6d1258f67aacbb769134e9dbb212870a4a8de09873 |
0 |
0 |
App Granted Microsoft Permissions |
Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' |
Sigma Integrated Rule Set (GitHub) |
2d29ecc9290d6afa03d733640acc3d0d220b0b393f7b2719ac33295f58c34e63 |
0 |
0 |
App Granted Privileged Delegated Or App Permissions |
Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' |
Sigma Integrated Rule Set (GitHub) |
959c26d059b6b1c8acebab85f72c99215eee0aa0897c32c96524377b6f90e88a |
0 |
0 |
App Permissions Granted For Other APIs |
Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' |
Sigma Integrated Rule Set (GitHub) |
a6bd215d292cb31faa9264f005c75200c428fc84f750306c85eb596505799c29 |
0 |
0 |
App Role Added |
Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' |
Sigma Integrated Rule Set (GitHub) |
7b9cf1b24ba10b85109a309c8ec31d9cc0cb3bd010d2ee2c99bdb301b4a482fb |
0 |
0 |
AppX Package Installation Attempts Via AppInstaller.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8c20386ca2239562a26b808135071390e3abe7434cb251781a4656b1b4cf71e6 |
0 |
0 |
Application AppID Uri Configuration Changes |
Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' |
Sigma Integrated Rule Set (GitHub) |
7bb4d1866297312fbaf22981a0884a00cd2b6cc0884294b995f8af22637b8c42 |
0 |
0 |
Application URI Configuration Changes |
Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' |
Sigma Integrated Rule Set (GitHub) |
602740da70d3ff3d4654b32be683dfb1b49ad03a45553e1380a03ee918bc32a5 |
0 |
0 |
Application Uninstalled |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c82edf1cc13cd1fb147ab2b58854576c3cdaad0a6d5b8b4fecbf68a08a1e742a |
0 |
0 |
Application Using Device Code Authentication Flow |
Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' |
Sigma Integrated Rule Set (GitHub) |
226c91fcc62837d3f1c04764f19be2a014d6d398a9af8c46e6ff6ef2d28fa6f5 |
0 |
0 |
Application Whitelisting Bypass via DLL Loaded by odbcconf.exe |
Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
e7b216cf44265cf356b012760fb4e0a6e04289ad81a1fe180bdb6b75c59729a0 |
0 |
0 |
Application Whitelisting Bypass via Dxcap.exe |
Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
208e2a3b52a6d211e7c5b85a6b02a3d7b276c3d13e266917a5e033a43cc39d85 |
0 |
0 |
Applications That Are Using ROPC Authentication Flow |
Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' |
Sigma Integrated Rule Set (GitHub) |
4edddc78b121c570c0cc0b8f9f34fda448ae47381dc23fa34d0e92afb84b8c56 |
0 |
0 |
Apt GTFOBin Abuse - Linux |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fb264a5706df7ef97923f067f7e95a160f5ac20d0a2a45fdfd4358ea9601ac11 |
0 |
0 |
Arbitrary Binary Execution Using GUP Utility |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3eb1798da734a1175f4064db9bcae87d8f1e0635b2a5bc95e9211a3604b8c76b |
0 |
0 |
Arbitrary Command Execution Using WSL |
oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4deaea65e083744047018aa4fd0ccf242ffa901cc82a5f427d710fbb717c213e |
0 |
0 |
Arbitrary File Download Via GfxDownloadWrapper.EXE |
Victor Sergeev, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b72d2ff1b4c8867cd160c5e82653d122b03a4c6bca9ade97373922682058cce1 |
0 |
0 |
Arbitrary File Download Via MSEDGE_PROXY.EXE |
Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
4a4f3b3a6b4761824b12ff4add9777ca49194d21eec186fa40bc13197799e975 |
0 |
0 |
Arbitrary File Download Via MSOHTMED.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
60d28276317f25fdc7fa0acce62da99237f387d5ab5624b5f0fb9a3311f144ed |
0 |
0 |
Arbitrary MSI Download Via Devinit.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6c91ae4afec46136577c1773ed9b9e0de2efd87a7f856d642c840bcd7ecc1a2f |
0 |
0 |
Arcadyan Router Exploitations |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
0274ce4cedfe4942275222ff262ad3bc4a6d9230e7d8aa753adaf19da3b08ebe |
0 |
0 |
Artrta Trojan (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a460ea212cd93f867529a23e3064a9972f4e4b97bbba5f916b427016caaccd93 |
0 |
0 |
Aruba Network Service Potential DLL Sideloading |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5179445d911d6fbb8c94da23454267597f95beaeaa0630fb25175609654f9df3 |
0 |
0 |
Assembly DLL Creation Via AspNetCompiler |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
19fb2859f06a4a8b6bbf348964fa58bca94f9c43b17beea1cf95306eaf700cd4 |
0 |
0 |
Atera Agent Installation |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
25ae1d6038813be4c6c9dd482574522a1ec3ed0d01450b06b4673f94bef1aa71 |
0 |
0 |
Atlassian Bitbucket Command Injection Via Archive API |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1d886380a9f8a967bf006cabbc3bad64fdf82ea3450ec02b40bcc4c56ea33900 |
0 |
0 |
Atlassian Confluence CVE-2022-26134 |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
da92610c4bf2acba31703944912a2d93f568fe02dea678aa4640ab4c80536cf3 |
0 |
0 |
Atypical Travel |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
e792ba76039fc494b513ec5802928f949b5e7be8a39625fb6eab43b9cd6eb1c0 |
0 |
0 |
Audio Capture |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
a4baf3681957e567a0dcabca982a74d6ef27a7f4371c330e743abb82201ce772 |
0 |
0 |
Audio Capture via SoundRecorder |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
Sigma Integrated Rule Set (GitHub) |
9d251711b5a07fe8fb5fa341d8312ddbf0fd1b878b4a2d04e5feebb9885f1067 |
0 |
0 |
Audit CVE Event |
Florian Roth (Nextron Systems), Zach Mathis |
Sigma Integrated Rule Set (GitHub) |
0c184188e5202d857b8ad97911db2679f4da47c8ff9498e869e2794f4b017d77 |
0 |
0 |
Audit Policy Tampering Via NT Resource Kit Auditpol |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a5d0ee315323a7612e8c53b5bbcba868cb9cf4a4b8ca2b5850b97eaf2c03f1e6 |
0 |
0 |
Auditing Configuration Changes on Linux Host |
Mikhail Larin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
08bdc4ce556bc84980d5552bb3426a25d11cc00dfa1d2ca4e727b609ad595cb6 |
0 |
0 |
Authentications To Important Apps Using Single Factor Authentication |
MikeDuddington, '@dudders1' |
Sigma Integrated Rule Set (GitHub) |
ab5210813ff4cfde3cc40f087e36f3bb3bf91424a6843fc7c43981fdd0d43638 |
0 |
0 |
Azorult and XMRigCC behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
312ca94426dbc718ff09f09e6a43b898190a0aaf80ccbf8bbc1faeab30a2381d |
0 |
0 |
Azorult and XMRigCC behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
384c8a60fa80b800ebd740d52e56ddada550877252c4a1c54b09045cbd667d20 |
0 |
0 |
Azorult and XMRigCC behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
eb88bdebe1990354c146b84c3335fe5d42136e63848540b27845073f1f61fd4d |
0 |
0 |
Azure AD Account Credential Leaked |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
9cda8f933f8bc9632d3fa51658a20896b9a602d8b05e8da67dbb407053aad8fb |
0 |
0 |
Azure AD Health Monitoring Agent Registry Keys Access |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC |
Sigma Integrated Rule Set (GitHub) |
3bfeb8cfe94b16cd5b7f3c96024b95509404dee7b48144b2af8aa5ce4779de13 |
0 |
0 |
Azure AD Health Service Agents Registry Keys Access |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC |
Sigma Integrated Rule Set (GitHub) |
bbe20978cff2db9667ec877573b1107ee982ff6d743fa80d3cbf2b74771a384a |
0 |
0 |
Azure AD Only Single Factor Authentication Required |
MikeDuddington, '@dudders1' |
Sigma Integrated Rule Set (GitHub) |
6ec6f440b21637b3be0f9f60a20e5f6fe64fbe1d64418abc56449a7f4b56c642 |
0 |
0 |
Azure AD Threat Intelligence |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
b1484637bfce10d9b44b0b61a9a4badb20c3afda6671147541216b01dd841cb9 |
0 |
0 |
Azure Active Directory Hybrid Health AD FS New Server |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC |
Sigma Integrated Rule Set (GitHub) |
74b3585358a705f41a3c47ca255f4fdf226f80d67efcd8180692d9830cb0cddc |
0 |
0 |
Azure Active Directory Hybrid Health AD FS Service Delete |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC |
Sigma Integrated Rule Set (GitHub) |
79b78dee5286fabf9074e377bf3ad75038d8b8d9a5087f439b47b5c962e9a221 |
0 |
0 |
Azure Application Credential Modified |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
8249fead423c34843b4256f38229856595e4938b344740799a977671a8721be9 |
0 |
0 |
Azure Application Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
2ca197a0660bd80fe905e4ca00acc28acc9704a89ac7f82e3b3f99f91c2277bc |
0 |
0 |
Azure Application Gateway Modified or Deleted |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
99cfccf0f7621c216ab9a6e574118c7d08bd147ed24fdfc923c1bef27869dd2e |
0 |
0 |
Azure Application Security Group Modified or Deleted |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
fee924d31493870a0e467e4c218281258f926382c4aed996e8c0ead7b0ffd1a1 |
0 |
0 |
Azure Container Registry Created or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
a50193cebf131589afa2e4c5caf4bd66397e7f3e21a007d2dceb8a4a87b50ef2 |
0 |
0 |
Azure DNS Zone Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
43efaace741bf5e0b6dd18d8ac4cb9c2541ae1076b512e1bd743a3064a1e6bd6 |
0 |
0 |
Azure Device No Longer Managed or Compliant |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
c81341f9f6cd4cd0b87566645bb2e5b8bcbf96eb3f70ff9b56ee3abf4854e84d |
0 |
0 |
Azure Device or Configuration Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
96deb162e4d7078c4d37c8e9299cd36a06bd4e7851a6667dbf6d26a2c982d28e |
0 |
0 |
Azure Domain Federation Settings Modified |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
cbd7365e52f94f02a513846714617391f68f6912003a2eb9a0bbacf128259b5b |
0 |
0 |
Azure Firewall Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
d45698a63ac241254c2e58e006dd45b43f164ffe1d0a192e9e4bfb69fd4d0a70 |
0 |
0 |
Azure Firewall Rule Collection Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
4e5d8654f38840ce7dfb65eccbb26e41cf2087dc48fd3290abc364e99ff6c223 |
0 |
0 |
Azure Firewall Rule Configuration Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
1966c63d48e697e85ff918b12a3933601905b8e608c26a39ba40d0802843a0a7 |
0 |
0 |
Azure Key Vault Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
8277b5e14bd624d703568cc728cc7573300e7157c6085a669f3c467b2b2dc91f |
0 |
0 |
Azure Keyvault Key Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
9cd4b711206e3c37197e34894fa230459f8f3973e55a8393632f7b4f394a0757 |
0 |
0 |
Azure Keyvault Secrets Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
ca76365114071335144bbd16aa1ff1702fba9628d9339290e6ad1ca4038485b0 |
0 |
0 |
Azure Kubernetes Admission Controller |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
0f1f0dc48da97695cb6527b079cf0a309aa8c1f5330034f614fd18aa4a3a515d |
0 |
0 |
Azure Kubernetes Cluster Created or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
ad11168ee302b9e417ef34de10e853a070a2255f619a0f2e5ce8093efa4125ec |
0 |
0 |
Azure Kubernetes CronJob |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
6f0756909a231b1de68feb41531a09f1b4aa980d4cb705216064bbf410c47f38 |
0 |
0 |
Azure Kubernetes Events Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
8d931927daa9fe944bfee3fe82c6723e2f8c8daab9a97f657c6b92eec3f60413 |
0 |
0 |
Azure Kubernetes Network Policy Change |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
fa73bc2ee70f7f45ebea4039e72ecbf9d55585af7633d7dc5ee78175f740c847 |
0 |
0 |
Azure Kubernetes Pods Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
e96da18a9f7bce0ba8dbf0ea74585858e37bdf438c3a3acf0e69ad4f611d8e00 |
0 |
0 |
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
dcf545836738f2f84a8fe309688d2565d5db60f2003e89935f9c884ebde8b2f3 |
0 |
0 |
Azure Kubernetes Secret or Config Object Access |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
dcea1ea1d9ac39af65a5f28568f16c91f9dc4c647daea19dce016dd2466bdbd8 |
0 |
0 |
Azure Kubernetes Sensitive Role Access |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
23e30fa444fae1b172748e6a76e829b2b5bc2d747c0c6d679f757fbdb036198b |
0 |
0 |
Azure Kubernetes Service Account Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
8a73631fa6f0fa5dff761b9c6c0a3ccf6a66f656636662418503f105d17d8993 |
0 |
0 |
Azure Network Firewall Policy Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
9899c52490520e420876ad5de364f9f956e993c38bb2bf6e26f7afad6560eee9 |
0 |
0 |
Azure Network Security Configuration Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
d91818569830303d0793ec9cdf27d592e581e957caa02141080927e8d4debd7d |
0 |
0 |
Azure New CloudShell Created |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
168e1c35ae1332d1fde280357d55f94bc3fa72d5f623c5075dc9e95719b508e0 |
0 |
0 |
Azure Owner Removed From Application or Service Principal |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
f497fa0952b0643d212e000f9beedfa0e38c340e126cc980759fd73aea3f074b |
0 |
0 |
Azure Point-to-site VPN Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
4fe122fb2f4694c438ef09c62c437757ffff5f2960a1d78aa757b6f0cdab3541 |
0 |
0 |
Azure Service Principal Created |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
8e656dbfb37b60d6fef29014993072a6b8341f80dbd9d2ac0901fc71eb99b51f |
0 |
0 |
Azure Service Principal Removed |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
ce41462e381c9c869284161db12adbbf2078003b7ce16266c923d3dc021e19a0 |
0 |
0 |
Azure Subscription Permission Elevation Via ActivityLogs |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
5fc1781e8afc3e000022771fd6678ed7bca2e931810fbe088916375a89ca353c |
0 |
0 |
Azure Subscription Permission Elevation Via AuditLogs |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
f1133baebe520b6bb3b6aa03c2a199e4297f5620463593d2698f7317285f40a5 |
0 |
0 |
Azure Suppression Rule Created |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
c024312538da26140188fc0c40fb6fdffd2ba7813aeb307a59b8a7a73953de52 |
0 |
0 |
Azure Unusual Authentication Interruption |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
a2fbabf1ea8e4593cac5c7ebaa8163ce713e0ccc9f65c8c76fd6ac40c53ccab9 |
0 |
0 |
Azure VPN Connection Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
e0af5f08fe2a083cdd976c7c926cdeee6d6099cf28085ad65013d5a1c9041186 |
0 |
0 |
Azure Virtual Network Device Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
caa2f19474e04314ce3f38bdc4f01d4f9704a841377ea129171fc6d2ec5f08e0 |
0 |
0 |
Azure Virtual Network Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
daf496c3dedf483941f3040398af3b052a54fea0d8f410a2407b7284ae613dd4 |
0 |
0 |
BITS Transfer Job Download From Direct IP |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a494f742d330705777e5a96f912460606a8f2e2d14c3c3ff9bca30929187e494 |
0 |
0 |
BITS Transfer Job Download From File Sharing Domains |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b0d0f79e71de73c83c9e3ae928a91ccccbfa9b757e0826a629f68a3eb8cd0650 |
0 |
0 |
BITS Transfer Job Download To Potential Suspicious Folder |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
884ffa23512e6ebd77b6b249b9116f23f70d19d19433ab61ad18becb188413bc |
0 |
0 |
BITS Transfer Job Downloading File Potential Suspicious Extension |
frack113 |
Sigma Integrated Rule Set (GitHub) |
07b062a873c1d9a27ed7c8b25d19df4ae39cb2bcae62b16c6c0b738e0e99e75a |
0 |
0 |
BITS Transfer Job With Uncommon Or Suspicious Remote TLD |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
916d1dea4e8931fac50e75afcd2ff7c3c4eb8e68a32b9f83d9846a5baa1b41bb |
0 |
0 |
BPFDoor Abnormal Process ID or Lock File Accessed |
Rafal Piasecki |
Sigma Integrated Rule Set (GitHub) |
ad15a7ca794c1a80d655c5a8c8ce1bd98703b84bcbe58e085c057ad49c6377c9 |
0 |
0 |
BPFtrace Unsafe Option Usage |
Andreas Hunkeler (@Karneades) |
Sigma Integrated Rule Set (GitHub) |
14224ae90ba2bfd3b69a2ebda9756c88e99dccecb1580804850e6163e97657da |
0 |
0 |
BackSwap Trojan detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e578b7532f350b30e9614eb1a524f8d25975960eeaa667becc98ac9cd99c42ee |
0 |
0 |
Backup Catalog Deleted |
Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection) |
Sigma Integrated Rule Set (GitHub) |
db25081a26915f454c9f9fc4dd73865d15100f764005bd361a8ec9eecee428d3 |
0 |
0 |
Backup Files Deleted |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f15234ba5cc4c709633e015e497cce2bab7cd6f91b488b8c04ecfd5651e68749 |
0 |
0 |
Bad Opsec Powershell Code Artifacts |
ok @securonix invrep_de, oscd.community |
Sigma Integrated Rule Set (GitHub) |
c5b3ab9b3a0221a66b1da487bf7bd851b4f9cf0a8e2b7b22e659e5fd42b40815 |
0 |
0 |
Banload Trojan Detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
4c21f3c713476df5631f5741b8b322c195fdd1759bd4220138d6e4d100c43b59 |
0 |
0 |
Banload Trojan Detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
cf78d5c37f3b09e94b3500edde1baaf99114e6503c98d1cedbf58f67f4e2b1de |
0 |
0 |
Banload Trojan Detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
df75fb5e2add2e6674d7b5df931eb3ea32c98e61f6fcc4cb9e981b99fab72c52 |
0 |
0 |
Binary Padding - Linux |
Igor Fits, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3fbac61acf4870c524599db45e1b2dfc09b3058a0096d5fb5b9f1cbc7cde4fee |
0 |
0 |
Binary Proxy Execution Via Dotnet-Trace.EXE |
Jimmy Bayne (@bohops) |
Sigma Integrated Rule Set (GitHub) |
c51bfffa36c59702837651ae2b749cfa0a0eefa6354f2183cd96c2ca6ebe57c4 |
0 |
0 |
Bitbucket Audit Log Configuration Updated |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
61c9348095ebf5ff7625ff74dbde850df037d9a46df84ac9627b12f6bedb85d5 |
0 |
0 |
Bitbucket Full Data Export Triggered |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
67c6db98ef2ff7fe735b9b8192be2b89786a47f612eba9e4b6418d54d0e11c96 |
0 |
0 |
Bitbucket Global Permission Changed |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
5543e07c1bb6569086e69c3279d2d96bcf955250b783c0cd6db1e89148056973 |
0 |
0 |
Bitbucket Global SSH Settings Changed |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
6293e5866f1c28cf8d4a6792303175d2f10a3085601bd83c10942bebfdca931c |
0 |
0 |
Bitbucket Global Secret Scanning Rule Deleted |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
02a74ca160c2c562dcf2cfb4992cf13a25837760abc8501b496a68f565de0b6b |
0 |
0 |
Bitbucket Project Secret Scanning Allowlist Added |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
58597d67250c84138fb5753f63e0f5bed18b2b273d5390c0f98ff1d3d698d7f5 |
0 |
0 |
Bitbucket Secret Scanning Exempt Repository Added |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
0b9a4de8a4ed1e5d9763f57ec1859e0ad43c06ad52598642e870e936c3e8eb11 |
0 |
0 |
Bitbucket Secret Scanning Rule Deleted |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
590a9d6a694e6ab2d76891d8386316e7b2b087d4bb6bb375a7ff67adc6108008 |
0 |
0 |
Bitbucket Unauthorized Access To A Resource |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
89bf720db274aed10819cfb8d010ac38d06299f5f748bc7f1200f58afbe9e3a8 |
0 |
0 |
Bitbucket Unauthorized Full Data Export Triggered |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
ddef89e07e9084f1ab4f1a31ab55d70c0a91e5ec3a1d456d1f6bae6589ae0c8f |
0 |
0 |
Bitbucket User Details Export Attempt Detected |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
03d0e55a5e6b4785bf1b4d0edc4efdfa7dd236861552a254173ea087ce5ecfdd |
0 |
0 |
Bitbucket User Login Failure |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
af30df46f984f2bc275184b7a59fdd467f08950571f58e6a531d5359adba484e |
0 |
0 |
Bitbucket User Login Failure Via SSH |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
c885d714c97b87e0468d4fce9c8645f881a59e50052aeac31afaf434eaf102e0 |
0 |
0 |
Bitbucket User Permissions Export Attempt |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
306d49ce32dc9aa9d68d8de966d78e31f46e981e5fd294161164e40b3923cf75 |
0 |
0 |
Bitlocker Key Retrieval |
Michael Epping, '@mepples21' |
Sigma Integrated Rule Set (GitHub) |
7b3b2c6da15ef5621daef26ebb3baabf8a365d507916d900ab1eb197769c414b |
0 |
0 |
Bitsadmin to Uncommon IP Server Address |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5a7b58d1d0d85ecf23dadf094755b9ec6fb8f853ee15f4f3959216ad963771b6 |
0 |
0 |
Bitsadmin to Uncommon TLD |
Florian Roth (Nextron Systems), Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
2e6f9336c9aa7e0fb900844db203acd64f2e49c46053557f76e819509277e0b2 |
0 |
0 |
Black Kingdom Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
7b246ccd83dc04be953170d86f9c74b4e9d46071fbc612523b2b7b5564ea248e |
0 |
0 |
BlackWater Malware (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
39cd8a4762fefe23e71b4a9c925150241a4c887c22e6c33561f972f394454f55 |
0 |
0 |
Blackout Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
85ed357648ddf115b4b4d1596a36cdf430f132c7262701da1960f5d9c685d48d |
0 |
0 |
Blackout Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b5d26570d88e55e6f8513514b34cb8ae7122dfac66a407ee89e3136500fcec9b |
0 |
0 |
Blackout Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e10ed3279956a72f0ea14fe2fcfa974f8619f90a357e53fe89511819a764c36f |
0 |
0 |
Bladabindi backdoor |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
acbedd0b4dd2d93744542676c9afdfcf6f0f313229b26f137a2d979893bec5ff |
0 |
0 |
Blue Mockingbird |
Trent Liffick (@tliffick) |
Sigma Integrated Rule Set (GitHub) |
0cb9e146271e0c9ad794c98863e0e6d9c6ca19471bfea205eee4a276fecbd69d |
0 |
0 |
Blue Mockingbird |
Trent Liffick (@tliffick) |
Sigma Integrated Rule Set (GitHub) |
8f6a9e9bbcb601d1bc09093f383e8d8f1f7f09bf7d7e69843c14a7cd880ee0c1 |
0 |
0 |
Blue Mockingbird |
Trent Liffick (@tliffick) |
Sigma Integrated Rule Set (GitHub) |
d0b6ca563c74d796de2ac3b8200508b7ea05a9ba9533d0d455ec1f717dd0b8d5 |
0 |
0 |
Blue Mockingbird |
Trent Liffick (@tliffick) |
Sigma Integrated Rule Set (GitHub) |
f1ab359e7200763d0ebd605b4d6c074a821679006372360c1fef073501822e2b |
0 |
0 |
Blue Mockingbird |
Trent Liffick (@tliffick) |
Sigma Integrated Rule Set (GitHub) |
f723401b33927cfc6f265fefe66ce2982144e1ddeb991a3b47302b70b730b91a |
0 |
0 |
Blue Mockingbird |
Trent Liffick (@tliffick) |
Sigma Integrated Rule Set (GitHub) |
fb9f6bbd034578721056b64fb7a34b4e2726da17d1cbf5711dced3ab7cd005c7 |
0 |
0 |
BlueSky Ransomware Artefacts |
j4son |
Sigma Integrated Rule Set (GitHub) |
f3f5fa46032d8e0baf435978a8204bca73e3ef7d003898fc0f5dc6b2106c03e1 |
0 |
0 |
Bpfdoor TCP Ports Redirect |
Rafal Piasecki |
Sigma Integrated Rule Set (GitHub) |
e48afde2372557d77514edca83b126212c3f48b0bf0e38f4a35cf2ae0ed2af33 |
0 |
0 |
Brute Force |
Aleksandr Akhremchik, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4307719a67c4c9c1343c12fa7fbdb91107ce614a895545a9b2de04426298134a |
0 |
0 |
Buer Loader (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
6327206ca6b0ae94eb02e02c0eda55e26020672bad83ed8831fcdc84f2c0f3ff |
0 |
0 |
Bulk Deletion Changes To Privileged Account Permissions |
Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' |
Sigma Integrated Rule Set (GitHub) |
5f36d7e3b3bc9590aa6a129e7e3db4fb78f2245031d5a0111add67b2dc8371b5 |
0 |
0 |
Bunitu Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
3a8e7baeffec67b69220da8b8d25bcae45e047937d0f2f833052ef5ea532aa9a |
0 |
0 |
CA Policy Removed by Non Approved Actor |
Corissa Koopmans, '@corissalea' |
Sigma Integrated Rule Set (GitHub) |
4b21e17c3224a50fbfa8db57e0c47405a95b42de6c2d13284a025f958c59cda8 |
0 |
0 |
CA Policy Updated by Non Approved Actor |
Corissa Koopmans, '@corissalea' |
Sigma Integrated Rule Set (GitHub) |
e97a3f03c9bdcda96062b2a4766cd34e555d12f3df4a36c6f2fd409dd05b29e9 |
0 |
0 |
CARROTBAT Malware detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
793159445715fc7a8b862f94666ae175cf0a3f6ab66c76e3af31ac86638fa859 |
0 |
0 |
CMSTP Execution |
Nik Seetharaman |
Sigma Integrated Rule Set (GitHub) |
65ffc0ddb80d953bb500276c61b57ba48cb45df5128bb8264ab47e7f48b2c9ec |
0 |
0 |
CMSTP Execution |
Nik Seetharaman |
Sigma Integrated Rule Set (GitHub) |
ba18b1afcbf41aa13fd2cd7dc8e323b09854c6f046b4a98d07c2ea5d751d7584 |
0 |
0 |
CMSTP Execution |
Nik Seetharaman |
Sigma Integrated Rule Set (GitHub) |
fcd2fd95fad355c5e2d783abef0cb21f5fcc96e6ed5e0637f465bb7e75cf9342 |
0 |
0 |
CMSTP Execution Process Access |
Nik Seetharaman |
Sigma Integrated Rule Set (GitHub) |
87af8c0b574ec328882da2ed6ae28880f2577cf0bbe165ae6e19d50475c6d86a |
0 |
0 |
COLDSTEEL Persistence Service Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0f33a99a4bfd94f2626c5a36f1f07ab980d38ccc751af58e924870e7bb930fd3 |
0 |
0 |
COLDSTEEL RAT Anonymous User Process Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
337664ed0113473c3a169dba1240dcd89d78277044915db818c8400186a76bb8 |
0 |
0 |
COLDSTEEL RAT Cleanup Command Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cb122336ed1da922ed4fde95962aad47095c1a45a1cb960241f097eafb6cc53c |
0 |
0 |
COLDSTEEL RAT Service Persistence Execution |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7118b199279bae0adaeb91281a04660e60d9658520976461b1605e87fa5213e4 |
0 |
0 |
COM Hijack via Sdclt |
Omkar Gudhate |
Sigma Integrated Rule Set (GitHub) |
ab8743ded66b586929aa13e45ceb037d6d8b0070893c7f23eb993baabe393a9d |
0 |
0 |
CSExec Service File Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c568e6bb032adea6b3158106e565d4266246268d575976495b23fb0770e903b2 |
0 |
0 |
CSExec Service Installation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bb100db874e4b53a1e43f49c1364d66fdd6660a9d6d901bc2e570295dc74ab9e |
0 |
0 |
CVE-2010-5278 Exploitation Attempt |
Subhash Popuri (@pbssubhash) |
Sigma Integrated Rule Set (GitHub) |
d934f98bfa1d3842f51f86448d12eaa5d7ae665d51986c839307e4494210607e |
0 |
0 |
CVE-2020-0688 Exchange Exploitation via Web Log |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
00d02232ebab9d4ccdb763022a32fda3d58da65c29159ed6992ba07072196b09 |
0 |
0 |
CVE-2020-0688 Exploitation Attempt |
NVISO |
Sigma Integrated Rule Set (GitHub) |
5bbc9c67b6f5cb0d9b567b095ac079935288aace38c952feeefe24cca8db2fbf |
0 |
0 |
CVE-2020-0688 Exploitation via Eventlog |
Florian Roth (Nextron Systems), wagga |
Sigma Integrated Rule Set (GitHub) |
b8583b9acaa360ecfe76d00ff9d352cbdf6d3107d975a243b3ffb45ea03c67e9 |
0 |
0 |
CVE-2020-10148 SolarWinds Orion API Auth Bypass |
Bhabesh Raj, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
b8a891b94f9eaba11d1c04c2500b004dcd5a7de6f8e0722ef3d08f910741c37e |
0 |
0 |
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry |
EagleEye Team, Florian Roth (Nextron Systems), NVISO |
Sigma Integrated Rule Set (GitHub) |
2855d4d044bf08f00f380efb88fbd76fba4f8199fdab66a8c7aaad6d63bbe63e |
0 |
0 |
CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via DNS) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
332d13dcb0a4e1a6c422484f6927e7408031f7270166ea37cf7f557c68ec5efa |
0 |
0 |
CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via DNS) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
5cf068578d60f0e62a85062e3f528e2e675df78e1d1b2324b93218b97404a4bd |
0 |
0 |
CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via cmdline) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
241626240096e85dd40e071e886b505b28444c8f3af6df03ef5c13b9d9776cda |
0 |
0 |
CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via cmdline) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
bd554d600bee5054372f731217934ed318c54147855183a261c54405ef43c54a |
0 |
0 |
CVE-2020-5902 F5 BIG-IP Exploitation Attempt |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
28e45cf616425b3c243efdcab379f55c65b9c0717203ffc48f3c3f124c310ff5 |
0 |
0 |
CVE-2021-1675 Print Spooler Exploitation |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d7d444c9a70f46cddde00a1fd7df0120fbe71489ab597d307121ebaa8d8fabf6 |
0 |
0 |
CVE-2021-1675 Print Spooler Exploitation Filename Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
873bf5dd3d347e031a1a45c3c7da75768415ed8da25fe6136b24881f29b6ba3b |
0 |
0 |
CVE-2021-1675 Print Spooler Exploitation IPC Access |
INIT_6 |
Sigma Integrated Rule Set (GitHub) |
f011655155a4809262d5b5b289c20c070c7a7dec29d95846c91f3e39396d8bcc |
0 |
0 |
CVE-2021-21972 VSphere Exploitation |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
2215493140650ea52f95acdf1c79355498c6a798bd8ab94a6943d450e765fd0c |
0 |
0 |
CVE-2021-21978 Exploitation Attempt |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
82d6ddf5b00dd27b2c72d0ff170f126fdfad3155a287a936bd9d6075a8f8d944 |
0 |
0 |
CVE-2021-26858 Exchange Exploitation |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
bea74b1863b1262ffbfa6ffd29da720d86bdcd7ad6ea4a27a2da1c563fcb5093 |
0 |
0 |
CVE-2021-3156 Exploitation Attempt |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
236292ff7ca8a69ab14291cb8d62c04d3b02986279a40bf5a30c9345804f78bc |
0 |
0 |
CVE-2021-3156 Exploitation Attempt |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
5d4f849169f7cbe8f891d2622b175e4a42e41f434ea0540e841504b3b7de6e41 |
0 |
0 |
CVE-2021-3156 Exploitation Attempt |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
908809e40074898d7b460586768c977b2a700582c38d0355eb3f7e823d8d2c59 |
0 |
0 |
CVE-2021-3156 Exploitation Attempt |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
ab3709539b01cbfabb623bf86f278fcfc6c5bb5e735e7b13392f184bd6bfbfc6 |
0 |
0 |
CVE-2021-3156 Exploitation Attempt |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
daa2b8c9a016f7a9553030afbe735cc198ea85e381594ee1f438d0c54496b152 |
0 |
0 |
CVE-2021-31979 CVE-2021-33771 Exploits |
Sittikorn S, frack113 |
Sigma Integrated Rule Set (GitHub) |
3fc8cf89558a3ec50308aea72b7745ae0f219f9882cda378f1cbf0487a7a3e32 |
0 |
0 |
CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
70390bef07d59937cec0216e008ce815799b4c22a5e260a684ed6bfac4fdcd1c |
0 |
0 |
CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
9c20b726dcc3e2be564bb8c45c1c3372d7051d5cf3ff87aa65115c110cb62f4b |
0 |
0 |
CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
a5aa00b412cd8e83e52f741ce80dafabe03f640d00ccf9f43a9c610344a8627c |
0 |
0 |
CVE-2021-33766 Exchange ProxyToken Exploitation |
Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8f5525eb13728c689fc0e016fae75537d736213235bcab835284983e3ec2e37a |
0 |
0 |
CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit |
Sittikorn S, Nuttakorn Tungpoonsup |
Sigma Integrated Rule Set (GitHub) |
0c9b01c970160550c39d032237474fe010d45a8b283b53084a214bb65abf5fae |
0 |
0 |
CVE-2021-41773 Exploitation Attempt |
daffainfo, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
785c77adf74a5ac52d0c7c196fb79ad631311bdc96913b8d2e2b6f6486c36578 |
0 |
0 |
CVE-2021-44077 POC Default Dropped File |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3ad3f26b92d2442c828898d8d576b108116639952e23e140655f058b6a03601b |
0 |
0 |
CVE-2022-24527 Microsoft Connected Cache LPE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
39809f574bd56b1dea5fc43fa0766a4e242b3f02d25f4cc138a9d34f850e3927 |
0 |
0 |
CVE-2022-31656 VMware Workspace ONE Access Auth Bypass |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1cf59ae9ff5a081bc97dec79c05c8f01b9f6ba7f71e907200e83ab7d5eec3e0e |
0 |
0 |
CVE-2022-31659 VMware Workspace ONE Access RCE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bfae7dd5de2cc1be11a85762c9a4e9dcc75b72cc64c865a8c1aa30886b53cb3f |
0 |
0 |
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) |
Andreas Braathen (mnemonic.io) |
Sigma Integrated Rule Set (GitHub) |
c65a9f7bb1c6810bbd73ef2569d72d4452871449a56a7aaaa02c302c26e2069b |
0 |
0 |
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) |
Andreas Braathen (mnemonic.io) |
Sigma Integrated Rule Set (GitHub) |
3c4affe1e3fa21a8c98b93400f7e9eeeefa91fb0deaed33aa493fbab0ee215fb |
0 |
0 |
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy) |
Andreas Braathen (mnemonic.io) |
Sigma Integrated Rule Set (GitHub) |
73411895e17be809dd1543e68baf5c76fcefcd7844b73e12ead59fc1b2f3c348 |
0 |
0 |
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver) |
Andreas Braathen (mnemonic.io) |
Sigma Integrated Rule Set (GitHub) |
2176265defbf794b0bf2f434645dccc47580e7c53e28e5d749070f689306eb4a |
0 |
0 |
CVE-2023-23397 Exploitation Attempt |
Robert Lee @quantum_cookie |
Sigma Integrated Rule Set (GitHub) |
d03d6ef87c35d045be74c0b4e83fdf1d82094e9e8e7dc4dd0b3a991e1183c794 |
0 |
0 |
CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
133db4f9fc9443b0ad9758552390f1c8352cb4eb1be719e6ae0531ff7ba00794 |
0 |
0 |
CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process |
Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io) |
Sigma Integrated Rule Set (GitHub) |
93c128b68ab2f43a2f27d357ed878d53c998552ed10a9b36e6ab28475c99ee1e |
0 |
0 |
CVE-2023-40477 Potential Exploitation - .REV File Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b5c032f705af923c7d0d8a333a943983b1113705bd56ead5babcac07085ac3d2 |
0 |
0 |
CVE-2023-40477 Potential Exploitation - WinRAR Application Crash |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d8f75c668c412d2b5a8e5deac732edf8eaaaa165b5440f42162ea2f0b717d230 |
0 |
0 |
CVE-2023-46747 Exploitation Activity - Proxy |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4210b5d3588a3457ef0fa219ba7edf5ef196664dbb73640a1bf5d298fd3034ec |
0 |
0 |
CVE-2023-46747 Exploitation Activity - Webserver |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f53f844874207eb6e912e375d0e64ebab625c3d43d4296a31cfb284c37b2f92a |
0 |
0 |
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
631a85ef66371462b3eaec9f5da06aeeae03d03ba675c40a806bdc3d68b00852 |
0 |
0 |
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fc8da6a1bd2189b538895671fa22fe7a4537817f4e7cb0ecd5e1cd1a56fc2218 |
0 |
0 |
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy |
Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT) |
Sigma Integrated Rule Set (GitHub) |
f56bb706c65c30d14bc218379ad8de699420eb8bd94ebb042d3b49383c392e91 |
0 |
0 |
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver |
Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT) |
Sigma Integrated Rule Set (GitHub) |
553efbd6a2312d925cb12bded16c4df8fa79c83257e8cba1b7a9e0e1f4319706 |
0 |
0 |
CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d0efdd423541b3431540a0a6116518c58bf0f8547d8901a17042d8fac58d0d03 |
0 |
0 |
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation |
Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress |
Sigma Integrated Rule Set (GitHub) |
db3e51b1207c4b046dd3a65dcdcbb325874f14773682a626e155375a91d43ac6 |
0 |
0 |
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security |
Matt Anderson, Caleb Stewart, Huntress |
Sigma Integrated Rule Set (GitHub) |
2010070f1cee6c38cb3431c0c5ab57a0eb0ec127ffeadbabf9e63ac8585c3a5e |
0 |
0 |
CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation |
Matt Anderson, Huntress |
Sigma Integrated Rule Set (GitHub) |
fde13561262fbb7353945757e98068e731bff65279c0e776243d247b5d925aaf |
0 |
0 |
Capabilities Discovery - Linux |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c7d7a76816d1701b70058175cd64c9141dd713d3f50d5f0d656227b1e6b3b530 |
0 |
0 |
Capture Credentials with Rpcping.exe |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
15be2ea21971f32bb037bc7f681259a4f9e1989cf78ab9a1dd5f8efe68cfcdbb |
0 |
0 |
Cerber Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
064b8f335c5dad53244cfd14a7c51a8fd536dc8c86741bd6699e06ffdc7563a1 |
0 |
0 |
Cerber Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
509dbbd043383b28efe214cbd5f61869746cda8dd2069a844d35af2ad5c12e71 |
0 |
0 |
Certificate Exported From Local Certificate Store |
Zach Mathis |
Sigma Integrated Rule Set (GitHub) |
8c89cbee7e29ba90d3d255c084d1cd2d894d8554bc8c6a0e23f848fa0cedcc1e |
0 |
0 |
Certificate Private Key Acquired |
Zach Mathis |
Sigma Integrated Rule Set (GitHub) |
beec2af2d4d83b34085ae8f8046960cbe62957a2b2161262398ec726f4582d69 |
0 |
0 |
Certificate Request Export to Exchange Webserver |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9ec2157972ed064f3fd9dc25d8dd71195ab84c7747a3c17923cb09230442d76b |
0 |
0 |
Certificate Use With No Strong Mapping |
@br4dy5 |
Sigma Integrated Rule Set (GitHub) |
d404389ca07bcefd99b150983136720d0ed2232c573c30f9f8ec97625a1725be |
0 |
0 |
Certificate-Based Authentication Enabled |
Harjot Shah Singh, '@cyb3rjy0t' |
Sigma Integrated Rule Set (GitHub) |
9f5bd6d33912f186c287bd49a47c58dbb2988d00d6ca61e3ed71108ac738a959 |
0 |
0 |
Chafer Activity |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
1d13c62f756a81c5138fc3c57236cc1ec96910a5b90687e628170734dae53640 |
0 |
0 |
Chafer Activity |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
1f40062e963356a7f04535a0f3fb4eec269440ca226f367f7b8bab940022cac4 |
0 |
0 |
Chafer Activity |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
353ed25aa9f2dfe8e0a56f2a3321d579ce4e7e8d20563769e0f02ff01ac06c3a |
0 |
0 |
Chafer Activity |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4207cea59e80ca7ec1b55f3bd2cfae0e47398daf8485c73feabf38a1484ac532 |
0 |
0 |
Chafer Activity |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
5a93f630933a2040c4795df341b70fd08f3b7f1730c331cb6e025d13fe3d7d30 |
0 |
0 |
Chafer Activity |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b1eb7ac5e07136335fc21860603d89c40eb6488824477f00827b6749b15c1217 |
0 |
0 |
Chafer Activity |
Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
fed33455c8438e9a672de5f0fc2f48651ff0449b0427f5747e2b98db25e3088f |
0 |
0 |
Chafer Malware URL Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cadeba64d91814a5bec0863ecd58722639024a5eb3b5f8e1059bf7ac84765c9f |
0 |
0 |
Change to Authentication Method |
AlertIQ |
Sigma Integrated Rule Set (GitHub) |
b48b8735d4b0c36f6b4415f9561a541fe792f70783e40570d3558a3bdb50c550 |
0 |
0 |
Changes To PIM Settings |
Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' |
Sigma Integrated Rule Set (GitHub) |
94959dff01cdd28a250a85a42bf6d1f929fcad2d6921cf8ec73ad94b5f982fca |
0 |
0 |
Changes to Device Registration Policy |
Michael Epping, '@mepples21' |
Sigma Integrated Rule Set (GitHub) |
c58894734cae6401122b9f113877703c228c29a8fa3e4e32c1441c985c927215 |
0 |
0 |
Chopper Webshell Process Pattern |
Florian Roth (Nextron Systems), MSTI (query) |
Sigma Integrated Rule Set (GitHub) |
f3eb453b2f9a52250e3b43746736f8c9e0f1cfe7cf56756a7301cc6d67045bd6 |
0 |
0 |
Chromium Browser Headless Execution To Mockbin Like Site |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ab437fcb52c9fd0fc5d12b825d9c41f440bcebce6d6e68bf64b3c0fa8bfcb27f |
0 |
0 |
Chthonic Banking Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
5915609df8f0f33be9c7c82797ba777d92dff34c96c4483d76ea06e3a514454e |
0 |
0 |
Chthonic Banking Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b4b70fd58934de4a756c315437db626d32720d43be443f75f71a2eb971673f69 |
0 |
0 |
Chthonic Banking Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
bb3d22a048ab0177787e51d23515065a6af77e3dad57b621b06f01af9fa36675 |
0 |
0 |
Cisco ASA FTD Exploit CVE-2020-3452 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
58180314ba9a1b6fc6135d8a5452d7ec429cce39bb8a0ee05e19b8cf2240315e |
0 |
0 |
Cisco BGP Authentication Failures |
Tim Brown |
Sigma Integrated Rule Set (GitHub) |
c1c6460f01da4621d940943b027bb03ad82d2e169061a67ae8d8c857e5053d58 |
0 |
0 |
Cisco Clear Logs |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
f2d0601cc4bc2b37896ef81bb36379f95f6d6da0f54e5d298d76af6e9e34dfc6 |
0 |
0 |
Cisco Collect Data |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
2c692110983c838f0baff38e18c9350ae3def6ff7afca5af55221519eed38387 |
0 |
0 |
Cisco Crypto Commands |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
c3f4d338f538ec307b874891bf2dbd5f3ab916918bdca04a2ed53da9cb5ba3d5 |
0 |
0 |
Cisco Denial of Service |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
c9b1080d16e9e0175fdcbb202f1842cefd864c57eaa6a64ff1c1b4d6a5e71ae4 |
0 |
0 |
Cisco Disabling Logging |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
caab8d24d82768943d8a9bc5bc8ec1de7d099ef18de8846a7a84c7a0c123ae9e |
0 |
0 |
Cisco Discovery |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
922dd1761e6de8935b8deddf2c702455c9687e7ce9135ddc502be597a434ebf1 |
0 |
0 |
Cisco Duo Successful MFA Authentication Via Bypass Code |
Nikita Khalimonenkov |
Sigma Integrated Rule Set (GitHub) |
1ebe0db305a0b6286eb9ad88d1675fc096f3fbcbb19b6354549bfad0bcf6c13f |
0 |
0 |
Cisco File Deletion |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
a81d06d9e233156764ebf91e560a8a01fdf1b044beeaaa400b065b5be267cbb0 |
0 |
0 |
Cisco LDP Authentication Failures |
Tim Brown |
Sigma Integrated Rule Set (GitHub) |
e25b710f3b1915a497274ca420eccf7ce816686420806bebb413fd621f516a4b |
0 |
0 |
Cisco Local Accounts |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
066ace76e41c5e84ccb56804255ccf2d9c27332fc287e77151b9a6bd70f1d723 |
0 |
0 |
Cisco Modify Configuration |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
e1d658a7e96d34fae9c9489f15cc7e66d2d932e0902ae1d9b63e49f69008a557 |
0 |
0 |
Cisco Show Commands Input |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
52e2f120bc6f6a2fdea0d88c7334e68be41c50e02ac50ad9447e3b97ccc8e8c8 |
0 |
0 |
Cisco Sniffing |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
8acea30044d76f3304a28112da3f66be2f2b9d450a7cdd1784f9c45ad56191de |
0 |
0 |
Cisco Stage Data |
Austin Clark |
Sigma Integrated Rule Set (GitHub) |
3ba27fda76b2e27f70c6f07a668f4d28b5903a7813afffa184749aeb9b961725 |
0 |
0 |
Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
afd8157e130ac5b1e85a83666d958d63adfa7ab570ebfbdcabdc1b7034b9f9c1 |
0 |
0 |
Citrix Netscaler Attack CVE-2019-19781 |
Arnim Rupp, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
98e0f69c0d080f1ab9346e1ebed9222049669b100a11bbaa8b110d9d96ad8828 |
0 |
0 |
Clear PowerShell History |
Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
860e5b755d1cea66957a1dad5567ffc45ea7e50f98c8c0958538a8507ec82f71 |
0 |
0 |
Clear PowerShell History |
Ilyas Ochkov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
Sigma Integrated Rule Set (GitHub)-dfba4ce1-e0ea-495f-986e-97140f31af2d |
0 |
0 |
Cleartext Protocol Usage |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
1f1ab8a0a3fe05dc5f6db77a733d09949a236725db888a8fc8999542edaa9d84 |
0 |
0 |
Cleartext Protocol Usage |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
4ffd878e89c72b4ceec82aae1b81d7e86116017e259d0f026184c047ac87f080 |
0 |
0 |
Cleartext Protocol Usage |
Alexandr Yampolskyi, SOC Prime, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
550069c609adf898c0cd2425bccf7458002df9eda036de658988e3fc1c99025d |
0 |
0 |
Cleartext Protocol Usage |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
d2de6c91a552659c64031d52630045d58a65e9b7f816c23dffb75c531fe65479 |
0 |
0 |
Cleartext Protocol Usage Via Netflow |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
5a34aa084745df161fe9743db142a1c40cb5ee3886200a67d6ad228a51483a8a |
0 |
0 |
Clipboard Collection of Image Data with Xclip Tool |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
bba5d6f743a4d29df17318bea6702db4ec9ccad741bcfd230545482d2f75c48b |
0 |
0 |
Clipboard Collection with Xclip Tool |
Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC |
Sigma Integrated Rule Set (GitHub) |
05e02a479959ef4e06411f4b132dbfbf2eff4ab9239d4732bc6b92c1762decc4 |
0 |
0 |
Clipboard Collection with Xclip Tool - Auditd |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
5750f0c9e7a5b3d955a1de73bac6ad176f1d221bbe3b3a3c29db1eba3f280619 |
0 |
0 |
Clipboard Data Collection Via OSAScript |
Sohan G (D4rkCiph3r) |
Sigma Integrated Rule Set (GitHub) |
9456883e215175e623eb73fc5dbb97051dd3a45173a64f1b6fdd7f0fe53870f2 |
0 |
0 |
Cloudflared Tunnel Connections Cleanup |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
48787c99cfb6d0430c601a44d4594a6eafff633bca387f3be21825df6a8869d1 |
0 |
0 |
Cloudflared Tunnel Execution |
Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
143bb177d88746ae7cb80c574d4992f4ffef743521dc06124cbc5cfe61ff6a66 |
0 |
0 |
CobaltStrike Malformed UAs in Malleable Profiles |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e4c423de550bfad9e2962081acef2175c6383ee5809f156deedc218690445bcc |
0 |
0 |
CobaltStrike Malleable (OCSP) Profile |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
acdef10f5ebf1c2a007b873f8340f11064f333ffafafbe6d5458758dfafd1a60 |
0 |
0 |
CobaltStrike Malleable Amazon Browsing Traffic Profile |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
4c8dcd1969f5864da6d00d316324cc9c07906eb46dcd52cb5ef77dec09e5f886 |
0 |
0 |
CobaltStrike Malleable OneDrive Browsing Traffic Profile |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
e3debddaebc6a6805b6ecd204901a61dc7771baba667b06ae7259af94cbd15da |
0 |
0 |
CobaltStrike Named Pipe |
Florian Roth (Nextron Systems), Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
acc7e9be68d0e1ad85dc9aafc935bc08834e6cc9a7cc48742991e53d197a46af |
0 |
0 |
CobaltStrike Named Pipe Pattern Regex |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
337224175c49faeb48d475b30549b027ea2f3c467baf9b22a069f35aebe5bd66 |
0 |
0 |
CobaltStrike Named Pipe Patterns |
Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
905fc9490af8169f526089d670a3608b44417c93f5ab5a80be4f4e507ea02668 |
0 |
0 |
CobaltStrike Service Installations |
Florian Roth, Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
07ed77ae45c45cd6dbde58702a9401f505bb4cd22daf19d09993a5c55b05ec21 |
0 |
0 |
CobaltStrike Service Installations |
Florian Roth, Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
52fb124d4388460bedaa284c35492d9da80a1d697d6610dcdcfa5dc688ad118b |
0 |
0 |
CobaltStrike Service Installations |
Florian Roth, Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
bd6e98a1ffa061e8610929a967d533a5f85adf437c7f2694f4b79edcf04c254f |
0 |
0 |
CobaltStrike Service Installations - Security |
Florian Roth (Nextron Systems), Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
1528f16fe86df1015680377eab269f8383ca863cc09a040605bbd624ab36512e |
0 |
0 |
CobaltStrike Service Installations - System |
Florian Roth (Nextron Systems), Wojciech Lesicki |
Sigma Integrated Rule Set (GitHub) |
d47c2221db7aa13e5c3645ca6ec5b315a643a4b9f5a9e50af5bece9e79885196 |
0 |
0 |
CodeIntegrity - Blocked Driver Load With Revoked Certificate |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b6a678b271d158987968faddcf4e07f864b2080c9ff19677921e776403be400e |
0 |
0 |
CodeIntegrity - Blocked Image Load With Revoked Certificate |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
132ca6f5fb7e5a46d0c0ff1f9eb4c7f5419923db740bfc931f7bea2b278599ed |
0 |
0 |
CodeIntegrity - Blocked Image/Driver Load For Policy Violation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e6e7ace9263c4389270ed38b7e0c29fbdc243a863684b3c39cbef17bd49812a1 |
0 |
0 |
CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6a1d97c70e8413dd69f28f480801e5d69ebb97e686ae59b206de96febab6ba96 |
0 |
0 |
CodeIntegrity - Revoked Image Loaded |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0385dc4cda443963e2dd06654558c402177adbe2b65508f91693ad23a1fd8dd3 |
0 |
0 |
CodeIntegrity - Revoked Kernel Driver Loaded |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7bf35bc9eebe9bfe3139bcbf63ca7c974b3fefcd8b33954b32739e1a8f4781b7 |
0 |
0 |
CodeIntegrity - Unmet Signing Level Requirements By File Under Validation |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
02c7efd9db64dc8e5d5e82d3bba880a3b1ab9e0fec19e15c668b9a63e1d58fb1 |
0 |
0 |
CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
75251a9aae0ea977aee8b2377ffb016f60bd12ebffc44e85268a3eadae94e300 |
0 |
0 |
ComRAT Network Communication |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f8b1e8439f6b16f86828128a05821dfc35b5cedac0b0ef9588c00d9a12d0ef31 |
0 |
0 |
Common Port with Unusual Service |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
448567e1372cc2d57c61ba1258607614de4959656f08b0c769cc4a2d4b6adf6b |
0 |
0 |
Communication To Ngrok Tunneling Service - Linux |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4923797d38f9e57931d4c2524c152b3df9355de308a97dccb63f2d0cfffc3461 |
0 |
0 |
Compress Data and Lock With Password for Exfiltration With WINZIP |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b6ab11c7f95ec7eeb0c511d3c26533628fe403bbf4d5d8e13ba54958aa6899da |
0 |
0 |
Computer Discovery And Export Via Get-ADComputer Cmdlet |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ba0dcf90e36e7408825fbc2ef8c0738174fd31ac01bdf199a594035504753788 |
0 |
0 |
Computer Password Change Via Ksetup.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1b69c2b97209ab8f9dd58e3300058e91e7473df6ba78a0ad001451070d2f29b9 |
0 |
0 |
Confluence Exploitation CVE-2019-3398 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
51b242528b12df33e19aef0d9c491da0899ee0c15706bd24fa1d8bbfdd0c0e20 |
0 |
0 |
Container Image was Uploaded via Unusual Client. |
Brandon Hart |
SOC Prime Threat Detection Marketplace |
0b491699d6ca77a7ec742e9676c80395862b7093ff6ffbfb2aa1d4d22e32f84e |
0 |
0 |
Container With A hostPath Mount Created |
Leo Tsaousis (@laripping) |
Sigma Integrated Rule Set (GitHub) |
23d90a8aef65da2283cf7fab07c5ef05711654bc8d459908f94c188505537b67 |
0 |
0 |
Conti NTDS Exfiltration Command |
Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0b3dd39a21682b0ad57453e8c2da509ea751696a9ed99cae7fb6658a7c77adde |
0 |
0 |
Conti Volume Shadow Listing |
Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
08ef6e8b498eef96cef9154fc59c951d935c3fc9b707146c4eca4567eaa5db9f |
0 |
0 |
Copperhedge Malware (Hidden Cobra) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
aa72a19331c2c067f40e6e48ff853baac0a3d4a25566bc66809995fc42cf7cd8 |
0 |
0 |
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a292fe3208d4e527b02e65976d44d0f6cfe4c3966558ae97f2b6ab6403ffdb94 |
0 |
0 |
Correct Execution of Nltest.exe |
Arun Chauhan |
Sigma Integrated Rule Set (GitHub) |
f2418d4c95e6ea8c75c68ad4358af3fc47e78b7630289f9d13fe04dc688a039b |
0 |
0 |
CrackMapExecWin |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
4937cb1804ae450d1760b136159503b4a353a27a37e6b66253c12834ae1fa611 |
0 |
0 |
CreateDump Process Dump |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
687da476fe7fa5f062fed8f4a4daf9774c0ac4734d817bf428d2c8de23a0b15f |
0 |
0 |
CreateMiniDump Hacktool |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
9ba3182e2ff92ecee64624cd2f1f24935f5ebeb42a5e6530cad6ea428e2941ea |
0 |
0 |
CreateMiniDump Hacktool |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
b0407739067c1a391ad55a8b30a1c8109e9239a36d94cf389a4f842a53e36f73 |
0 |
0 |
CreateMiniDump Hacktool |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
b66ace0358aa3fe35f98b7d2f726aab76956778883e2fd65cbc867bae21e360a |
0 |
0 |
CreateMiniDump Hacktool |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
db9bea11b648e60a727a16af04702fe0746657460d47aa50814a4f7999f58cb6 |
0 |
0 |
Creation Of An User Account |
Marie Euler, Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
f796279cc60013c4736e3ef7e5a140375fba8a3d78694c9d524620326ae8efcf |
0 |
0 |
Creation Of Pod In System Namespace |
Leo Tsaousis (@laripping) |
Sigma Integrated Rule Set (GitHub) |
55d9354329a9fc0545bc60c3642ee567fd8a86b404b8c209708ff60f10cd197e |
0 |
0 |
Creation of a Local Hidden User Account by Registry |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
958ac16256f17b20c00b2a83f4bbad49236266d2b84e59eb2d3c29989efc96b0 |
0 |
0 |
Credential Dumping Activity By Python Based Tool |
Bhabesh Raj, Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
7abfd50efa56572c526738496f6f7059c451615d2e5d8721055c1e39606f97cd |
0 |
0 |
Credential Dumping Attempt Via Svchost |
Florent Labouyrie |
Sigma Integrated Rule Set (GitHub) |
bfad2de2a3ff697a6170b489903df374d7555714e903a5cd764894bec8d7b4df |
0 |
0 |
Credential Dumping Attempt Via WerFault |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6b68e7771434f120225b803e124561f1868c6b5b6459772f4833fa1907ff7948 |
0 |
0 |
Credential Dumping Tools Accessing LSASS Memory |
Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a293708df42b2beba9f1a26e123fed278dfc67f5946ce8c995b2800c58d69e2f |
0 |
0 |
Credential Dumping Tools Service Execution |
Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
1243009f29fe311d9199398e8babee9294e8f9e57205fe6ebec6696ab0eec9e0 |
0 |
0 |
Credential Dumping Tools Service Execution |
Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
433b594a58a12c33431c033f7e53c41d5f635df8cee206163112bfffde169958 |
0 |
0 |
Credential Dumping Tools Service Execution |
Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
9a7af0218101ae1b67047098f1cf187e06c88982ba45ad3ef1c685c27788b02d |
0 |
0 |
Credential Dumping Tools Service Execution |
Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ad25ab512a3789c7da7d55a7b60c4d528db1206a0a4d26f3f44d945cc456cc2d |
0 |
0 |
Credential Dumping Tools Service Execution |
Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
be637f31d674fd7f3e36ce2982a40811732c7bbd70435fdb0378ab0bcbd73618 |
0 |
0 |
Credential Dumping Tools Service Execution - Security |
Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
cda32da0a87ef0f9603fc5592471efd0b39082003d4bc39f06871a5dd4336130 |
0 |
0 |
Credential Dumping Tools Service Execution - System |
Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
61e2aaf48c321983d311349f6bced27944c28bcd53f96ee143d8a0a1c321a5f2 |
0 |
0 |
Credential Dumping by LaZagne |
Bhabesh Raj, Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
8cca9e462f882fe58e9f320bb7380d7edbaaaab831521d9f739cca42cf64db37 |
0 |
0 |
Credential Dumping by Pypykatz |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
e7a973176dcaaa7050f1a216ca0d3075bfc12fecf2db13696af32148bd07d6bf |
0 |
0 |
Credentials In Files - Linux |
Igor Fits, oscd.community |
Sigma Integrated Rule Set (GitHub) |
26d8c61d691959676fb6d8b0217d408f4dde823800f79771a458011d3577ffbb |
0 |
0 |
Critical Hive In Suspicious Location Access Bits Cleared |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d5fafba749f09175307d78b0d786f5482b76b825bb977157b90e432409119ff4 |
0 |
0 |
Cross Site Scripting Strings |
Saw Win Naung, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
abfc554e6723d78308adb5dd0917e5604dac15611a98637633eae81fc3aff08f |
0 |
0 |
Cryptbot Stealer |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
06c9cbff1ed607186f04da92f2cf1648e2db7108306751e56b1e9f5123d11b60 |
0 |
0 |
Cryptbot Stealer |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b2707a69365d76d4836147eeaf9407e838f5322fcbd5f89cf86c86f1ba4239d5 |
0 |
0 |
Cryptbot Stealer |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
cdf252693ebe9b52f81229cb74ba8436f6cfdf9cc5c11f178cf9edb027c266aa |
0 |
0 |
Crypto Miner User Agent |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ff0cfc194b0f8edd392e317c8a3d0e012351873096248a33ca36c2b71f5ab3a1 |
0 |
0 |
Cybergate RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e806ec700e831384b0d77c8508e1614d850eb5c7ccb89a9b745d0871c0136e5d |
0 |
0 |
DCERPC SMB Spoolss Named Pipe |
OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
9aca3bd938d644fb20cf3d83a10353ff1440153ab17579e69ed2ee17848c5d93 |
0 |
0 |
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security |
Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) |
Sigma Integrated Rule Set (GitHub) |
325801736478f2eeb21dc4d27671455172bd5ba8978fd1c153bbf1bb560f4617 |
0 |
0 |
DCRat Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
35dd39a15009dacc7bdd973a9fb1484b964accb38bbcb7a63bc0b1bf73131df0 |
0 |
0 |
DCRat Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d6883f28a13f18946f9da1e0d84588bc6e01de49d97cdecbb8b3d5bc2b945880 |
0 |
0 |
DCRat Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d84b3a1cba66ed28c6c66d9a5dd807e984d42ba3b1e61ae45717b77695109095 |
0 |
0 |
DEWMODE Webshell Access |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9e465f124d03f3f4a5d575cc4d87bde86fda1fa3092da13a47c07f473c865bbc |
0 |
0 |
DHCP Callout DLL Installation |
Dimitrios Slamaris |
Sigma Integrated Rule Set (GitHub) |
08a22f080dbceb91fd6109159e695139744d9c12f6d94b12c35474b710aeb4ae |
0 |
0 |
DHCP Server Error Failed Loading the CallOut DLL |
Dimitrios Slamaris, @atc_project (fix) |
Sigma Integrated Rule Set (GitHub) |
11670a8f337ded0b6b72a5c41df4831c1b1da694f85e044e4afe1839d5dbc82d |
0 |
0 |
DHCP Server Loaded the CallOut DLL |
Dimitrios Slamaris |
Sigma Integrated Rule Set (GitHub) |
4928e3042535af018624a20ce17e807b66cf935200331da04e2db35a1b6cb695 |
0 |
0 |
DLL Execution via Rasautou.exe |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
18ed0db67fcc790c2b7e9ff5c111ae3691af0b9f2d52618d41d7f956ce8aa598 |
0 |
0 |
DLL Load via LSASS |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4dbf0d3da4d07dd172361786684269e5741eb3602ce1bf2c2c287041e8abe017 |
0 |
0 |
DLL Loaded via CertOC.EXE |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
42f3abed5774e74cc80412cad617ceb1f8881fc484a38c351eed5b589c80dee3 |
0 |
0 |
DLL Names Used By SVR For GraphicalProton Backdoor |
CISA |
Sigma Integrated Rule Set (GitHub) |
058749590d98037f9567485972425d033a51fe2b9aede9ec603af1c03edc136c |
0 |
0 |
DLL Sideloading Of ShellChromeAPI.DLL |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d07d6140d7d6a4e6a50db53310ea4d80cb48d33c95e0ced5e0570d488c2afc0b |
0 |
0 |
DLL Sideloading by VMware Xfer Utility |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
101d7b771d2663a74e9a33cf0dc8d8475af6fe5fd97cda9ecccde0e9c99325b6 |
0 |
0 |
DNS Cache Enumeration(via CIM/WMI) |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
11f3c97d5bb96ad59c7eb445ca4feeab94c4ea4fbc54c6a6ff11061bab8a11b3 |
0 |
0 |
DNS Events Related To Mining Pools |
Saw Winn Naung, Azure-Sentinel, @neu5ron |
Sigma Integrated Rule Set (GitHub) |
ed013f86bfbbcd25b8e462391d437165af76f6ca7e0b33cde4fceb2ee58d3e57 |
0 |
0 |
DNS HybridConnectionManager Service Bus |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
3aadcde102c8a083c36e571f1926927d5bdeddec39fc0f3ca9c514988407c7fe |
0 |
0 |
DNS Query To MEGA Hosting Website - DNS Client |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2b4a7505fcfe362c57f7197c82cd809926da3383f77134bc5dbe2e5db9fd580c |
0 |
0 |
DNS Query To Ufile.io - DNS Client |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c79f5bc9cf7e15e6774913e56090aed7fc5e39f8a3736629ce5efd2eb94d220a |
0 |
0 |
DNS Query for Anonfiles.com Domain - DNS Client |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
12c2f09405eb6cfb663a8cb88fab690da7fc0b72826d360fa3c6714abd86b972 |
0 |
0 |
DNS RCE CVE-2020-1350 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c2b9377be93da37de7a04778f2a879e0e03b32b8aa2f1d0dd8b7c1ba72d7727b |
0 |
0 |
DNS Server Error Failed Loading the ServerLevelPluginDLL |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a560dac7223fded812b9599d8c99d99739563099829698349739e8edeb365cc8 |
0 |
0 |
DNS ServerLevelPluginDll Install |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
5935b25ff10421da2a478f9f484858a9599e6551a17272c7a4017c6e1a55df07 |
0 |
0 |
DNS ServerLevelPluginDll Install |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
8435be4251ebdf2b4f18ae9d65faca381dc2fad4574c29cff3a962e5c9237487 |
0 |
0 |
DNS ServerLevelPluginDll Install |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
cfcbc45713ff3176a1284f986927a251f17c892931e87871325476256b26bb0c |
0 |
0 |
DNS TOR Proxies |
Saw Winn Naung , Azure-Sentinel |
Sigma Integrated Rule Set (GitHub) |
1b16378c68113f05c5cf4b51586d582401449553cf4775243b8ce459ef59ef99 |
0 |
0 |
DNS TXT Answer with Possible Execution Strings |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
8960985ab852fb33eb502577cd94683447f94e1a5299bfb607905f6a591cc78e |
0 |
0 |
DNS-over-HTTPS Enabled by Registry |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
0426d73fef7393ca82c3fbe1bedafc6d698e787d2cd679e17ae93a3b446a487f |
0 |
0 |
DNSCat2 Powershell Implementation Detection Via Process Creation |
Cian Heasley |
Sigma Integrated Rule Set (GitHub) |
b31e87788fbc1690d2371c0a80ebe27cf8c7a433c9a7f28b1a077ba534308772 |
0 |
0 |
DPAPI Domain Backup Key Extraction |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
d9a0bb3db2e444420bfe144e0ffc3f7e4dd9315a4792d088f6d79b706ac5fac0 |
0 |
0 |
DPAPI Domain Master Key Backup Attempt |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
084c47f6ea9d2126ec7b6b95e20cdf54557800f1b8394ae472f95b6162be6db1 |
0 |
0 |
DPRK Threat Actor - C2 Communication DNS Indicators |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
91819c057f7d81dea11b1b5ffd46c2b4564b723e118dbba5b2c24c41a8791203 |
0 |
0 |
DarkGate - Autoit3.EXE File Creation By Uncommon Process |
Micah Babinski |
Sigma Integrated Rule Set (GitHub) |
72089cbe18d7a9e899b30d733717ba9daa4d7e1bda15025fd2e52a797163b8b6 |
0 |
0 |
DarkGate - User Created Via Net.EXE |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fbea3fdcc21ba75635d639cd7f1805424b22f1a59da1627218d7050c557ffadb |
0 |
0 |
DarkRAT Botnet |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
097182ab9d206700057ec3ab10e6684d34c9b3ff109901a14fb1dbd8da889d95 |
0 |
0 |
DarkRAT Botnet |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
0d8a277066bf7279215ee87bce9077e63ee0037f495593431ddbff9fa822c179 |
0 |
0 |
Data Compressed |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
fb2193574c75e35df0989335aac30e2e13f3b8163caf7eef46058ae407b19e98 |
0 |
0 |
Data Exfiltration to Unsanctioned Apps |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
bae0cfa813856773ccb7c9ac2654b2f064928c841cb1442d6dda554b4e346c98 |
0 |
0 |
Data Exfiltration with Wget |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
334aab46cbdf770ef0720448d240e1b67c2a759449b703fba9d425f1450d83f9 |
0 |
0 |
Decode strings from lnk via findstr.exe |
Joe Security |
Joe Security Rule Set (GitHub) |
9d57b9ed7a852960b15a4d2a7fb4faa9174893a98953c9f09989faab11ed110d |
0 |
0 |
Default Cobalt Strike Certificate |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
19a7f2dd57b12f6048694290890081c7033fcf871e2c6ac4ddac91980374c15b |
0 |
0 |
Default Credentials Usage |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
65501b5c31cfa5ab80e3a4512b833f9e4bb77ef303f17fc8839abf9c1b435969 |
0 |
0 |
Default Credentials Usage. |
Alexandr Yampolskyi |
SOC Prime Threat Detection Marketplace |
3ed924bf0f9ebfc7642bd2eb1a2b925d801ff58fd267c5066fe579c55051e5cc |
0 |
0 |
Defrag Deactivation |
Florian Roth, Bartlomiej Czyz (@bczyz1) |
Sigma Integrated Rule Set (GitHub) |
462e0455aac7979a208190934de4564c8d6f5759fa73ea355f31b871967ed1eb |
0 |
0 |
Defrag Deactivation |
Florian Roth, Bartlomiej Czyz (@bczyz1) |
Sigma Integrated Rule Set (GitHub) |
4a305b6df01e5870b2018b579218b7e7b94bcc24e0959629d5cd3812d771d39b |
0 |
0 |
Defrag Deactivation |
Florian Roth, Bartlomiej Czyz (@bczyz1) |
Sigma Integrated Rule Set (GitHub) |
f7c48f991deaa5a1f44d21dc156d1989c5c383f971da93ecc1eaf11928860293 |
0 |
0 |
Defrag Deactivation - Security |
Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) |
Sigma Integrated Rule Set (GitHub) |
1ab376818e4cb7b7005cf46c5c118f9d09e2779f289cd7f37afc5fca8fc6e4f5 |
0 |
0 |
Delegated Permissions Granted For All Users |
Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' |
Sigma Integrated Rule Set (GitHub) |
7e53f4cfbdfd2c5fa0247d5fe1ab4a1b36136af1830a5d80710976b3908c48dd |
0 |
0 |
Denied Access To Remote Desktop |
Pushkarev Dmitry |
Sigma Integrated Rule Set (GitHub) |
755295cd9d58dfbf7808166ecd446d284fa160fe7f2e2b5673aeef6cc5cb0a44 |
0 |
0 |
Deployment AppX Package Was Blocked By AppLocker |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7da40e839cf5f0d73087f8c6c4717de3ec7a13449ce8e188460f89e33b12e2ae |
0 |
0 |
Deployment Deleted From Kubernetes Cluster |
Leo Tsaousis (@laripping) |
Sigma Integrated Rule Set (GitHub) |
d070b9d32f621068ef3f5dc31c15ceb7b6a94fce941832d5156c1b4dfd124a5c |
0 |
0 |
Deployment Of The AppX Package Was Blocked By The Policy |
frack113 |
Sigma Integrated Rule Set (GitHub) |
dfe6fcb13ba0be0c88ad6cf05f81ace91ae31f8bc6eccf703deaa99c200d55dd |
0 |
0 |
Detected Windows Software Discovery |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
296c4235eb2d9969dd70271f37fd8708d44ea158f9a24508790c33c5b6003dae |
0 |
0 |
Detected Windows Software Discovery |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
45e686dc153cf8d6e5cf577bc67b50dc6668c51412eddb7aede600f65fd5e9f0 |
0 |
0 |
Detected Windows Software Discovery |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ddc07067e955f9f404023ebf4e274002f57acb50f1fe16fe88b6704df84b3864 |
0 |
0 |
Detecting Sysmon on a Victim Host (via powershell) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
9d639e1b707b6f24ae8b637df63d5ac02aac0933b062d3477fa84d3194dc4e7b |
0 |
0 |
Detection of Possible Rotten Potato |
Teymur Kheirkhabarov |
Sigma Integrated Rule Set (GitHub) |
45c3c61e20707c18533d763c9e1c0a2f3abd229bd485f75c933da3e4ba156186 |
0 |
0 |
Device Installation Blocked |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c4ef183c583634c30e2ec4b60aecf6212b479a205961b7a079cf77cf3a10498b |
0 |
0 |
Device Registration or Join Without MFA |
Michael Epping, '@mepples21' |
Sigma Integrated Rule Set (GitHub) |
a158153f262e73c2256d05133ad9d1479ec9fbd516352021e325ee5e7373be61 |
0 |
0 |
Devil Bait Potential C2 Communication Traffic |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
83086326d048b726e7824b5dc833c864d799584d9c8ffac88f23d8d94716b070 |
0 |
0 |
Devtoolslauncher.exe Executes Specified Binary |
Beyu Denis, oscd.community (rule), @_felamos (idea) |
Sigma Integrated Rule Set (GitHub) |
336df26c319863147659e184f6387914d5b34b55eeb4dabe819907f747016967 |
0 |
0 |
Diamond Sleet APT DLL Sideloading Indicators |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
46f645cfe244160c9a8d686236c14f8d5e04f29b7e951e192f3f11fd68037a10 |
0 |
0 |
Diamond Sleet APT DNS Communication Indicators |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
04f4011ccf3e372c8fb6c31785bf840c89d521a644ead59c5fef56b888994162 |
0 |
0 |
Diamond Sleet APT Process Activity Indicators |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
59a460975011c123a7acdb982749c27ebf78cbd37c329444676837870200aa60 |
0 |
0 |
Diamond Sleet APT Scheduled Task Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
465232b3625350763f8a622c26f6e78139d07d99774eb093b777ec3daf2fd336 |
0 |
0 |
Diamond Sleet APT Scheduled Task Creation - Registry |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b24c179bb77f826b4bc8f9b2f14af706eb86c3c5d14ec339cff7fb45dea8a513 |
0 |
0 |
Disable Exploit Guard Network Protection on Windows Defender |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
8c426cb2a8a98a743f8e95cb5717e867cc5d4d22fcc97255e10fac2d59176fac |
0 |
0 |
Disable Macro Runtime Scan Scope |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e448df332034272fce5d2071fe9f070084a293696a4d9f879591bcd91b12d862 |
0 |
0 |
Disable Privacy Settings Experience in Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e047bdf5f28a6d7c67d53f5cae5362d16ec6a73c354de983be8efbd7d19039ff |
0 |
0 |
Disable Security Events Logging Adding Reg Key MiniNt |
Ilyas Ochkov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6eaa9c84915e6b68d49ea0ea6b069124ad33f6d9666e8baf43270a57ee9e1b2a |
0 |
0 |
Disable System Firewall |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
bfb6779f8bcb262174ab1cdfd6dc6c24f7ab01aa0510928dc59d51257c11e472 |
0 |
0 |
Disable Windows IIS HTTP Logging |
frack113 |
Sigma Integrated Rule Set (GitHub) |
8e9b40932ae787a51edc9fadbb2fd842437eea7b83804b0090d7f069e2d0a5f2 |
0 |
0 |
Disable of ETW Trace - Powershell |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fb21aa9533b87e78511396a558c521c85a35533d4f9f44f9380e79dcee68ae56 |
0 |
0 |
Disabled MFA to Bypass Authentication Mechanisms |
@ionsor |
Sigma Integrated Rule Set (GitHub) |
53b242e959d09f957c67fcb81b740965ebe398e9ef22bb0d8ec23f5dd1add1d4 |
0 |
0 |
Disabled Users Failing To Authenticate From Source Using Kerberos |
Mauricio Velazco, frack113 |
Sigma Integrated Rule Set (GitHub) |
a87dc529f00cccdafd3037358d753f5b37bdbc5d5860e077d8794985d3d93f5d |
0 |
0 |
Disabled Volume Snapshots |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
570e42eea810ffc81d8b3f1b5d284c891c1ca4a897bc6a8d5307ba5ac4feebbe |
0 |
0 |
Disabling Multi Factor Authentication |
Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule) |
Sigma Integrated Rule Set (GitHub) |
991a51f0fe833478df030b9c2d5dfcbd9a08cb54d65f4fee6de32502da219829 |
0 |
0 |
Disabling Security Tools |
Ömer Günal, Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
495b384015032ab9c529e649f340c35394c72a7ace8daf0aecc9b3fe7bb5f54e |
0 |
0 |
Disabling Security Tools |
Ömer Günal, Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7c1caf17a217864cc13be5d7320e631c61b949686fc630c72b5d143d1b4cdbbb |
0 |
0 |
Disabling Security Tools |
Ömer Günal, Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
df800176ac79cd510a92bccecd1ec64124d8917bd009406abd5457f353896225 |
0 |
0 |
Disabling Security Tools - Builtin |
Ömer Günal, Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7657d165811c7f6d4f9ff55e9ce81d8405e42f6157faed664f28bbc8fe97e560 |
0 |
0 |
Discovery Using AzureHound |
Janantha Marasinghe |
Sigma Integrated Rule Set (GitHub) |
285046a386633dc2065de3a86c090ace867fc6f4d6ea14d4dcb8e3129bbe7292 |
0 |
0 |
DiskShadow and Vshadow launch detection |
Eugene Nechiporenko, SOC Prime |
SOC Prime Threat Detection Marketplace |
85495f94a180f99ee2283759ac8a387cd3df5ff6802bcebcd6fd16bd75788af7 |
0 |
0 |
Django Framework Exceptions |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
fad46f86c5fe8acee91d73cf5901cf64df547e2777230845acfe89b79cbf172a |
0 |
0 |
Docker Container Discovery Via Dockerenv Listing |
Seth Hanford |
Sigma Integrated Rule Set (GitHub) |
0e7e6c658234f42dfe3a0caeaeee9a388217d69fccd37a24dd0df1afea170b2d |
0 |
0 |
Domain Trust Discovery |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
4fba485fa9f02eb8d0e28a7b84276fb6a276943a2948a62fe3d614248af840fd |
0 |
0 |
Domain Trust Discovery |
Jakob Weinzettl, oscd.community |
Sigma Integrated Rule Set (GitHub) |
50137e4985d62ff32fe9acc8ecd34bbc1e546bce28ae9d0c168c5bc0e62c2098 |
0 |
0 |
Domain User Enumeration Network Recon 01 |
Nate Guagenti (@neu5ron), Open Threat Research (OTR) |
Sigma Integrated Rule Set (GitHub) |
11a4140a5787cdd2ea81d81e4e06755144d3c4abe02a886ec68eeb79c5273223 |
0 |
0 |
Domestic Kitten FurBall Malware Pattern |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
d75f4b248c10259b1011107000396926b1a9e5cd4b0031500be48aee109855b5 |
0 |
0 |
Donotgroup APT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
431dbf8b11cf45bebac6646a5fe3c450c306b29edaf25977675ee072495216f8 |
0 |
0 |
Donotgroup APT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b3a4cba903a56c4b1c614cbde0de39dbec54a5aa5c8c8990df7f654b4a4c05ab |
0 |
0 |
Donotgroup APT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d65688b1788bfa0f9d3f71219812a68ef61b2de1f9da32a3be8f9ce57314eba0 |
0 |
0 |
Download From Suspicious TLD - Blacklist |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5ccaad9297f4a0eab603caddab274e285f600daadd324b7ff0b1664d5fa19675 |
0 |
0 |
Download From Suspicious TLD - Whitelist |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0182cb90eb98bcbd6b9724bdf7aa6f62ee6e327b059e24257dfd8339db0d3579 |
0 |
0 |
Download from Suspicious Dyndns Hosts |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d24da8eb78bf79c4be60dc23a68bd4ced6da6a3ad0eca8e8c2f4f43d08527e24 |
0 |
0 |
DragonFly variant (Goodor) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
76c36e8978ca88131a604877350f6d74659dd6354870487d271706837731f68c |
0 |
0 |
DragonFly variant (Goodor) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b36ce9f509e99bf322f61b552fe1197b17812c6ec7e34429e60852ccce9b21ff |
0 |
0 |
DragonFly variant (Goodor) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
f9376b94f03fe9d6f1fa80fe124bddee8d9d51ee56b3e761e3b550f5717ea1e8 |
0 |
0 |
Driver/DLL Installation Via Odbcconf.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5a904d51bdf849fcbc2359cd5f5bfe7fb4f4a689bdb4ad7295d051464f07c8a2 |
0 |
0 |
Dropping Of Password Filter DLL |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
ee1da0ec4e59bf6a30e8d78efcf41afcbe4babcee998f991aa62701b5fdb80df |
0 |
0 |
Dump Ntds.dit To Suspicious Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ae98f10c9c3089fe4172736d9574028281ef25bce3681b6a3006bcb97ab56bd1 |
0 |
0 |
DumpStack.log Defender Evasion |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9aa94cce0b20ff88d8c54a77c049e7d80f00af8ed4def6aa7395dc01692b5394 |
0 |
0 |
Dumpert Process Dumper |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
4182b10f293111ccccca770ada467f9a23c6679818008b7436e1842cac95a691 |
0 |
0 |
Dumpert Process Dumper |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
758c2b360e853174de27738caef97d466db11778427f5db30224884512b55494 |
0 |
0 |
Dumpert Process Dumper |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
9f11ecfc5795bbd9676baf8be43d9bd9f6da30f13022e7d97b279730326db7ad |
0 |
0 |
Dumping Lsass.exe Memory with MiniDumpWriteDump API |
Perez Diego (@darkquassar), oscd.community |
Sigma Integrated Rule Set (GitHub) |
c2b930e9318dce446b4b4ed018e6ade935182bf7ca1404ae47923673beafee95 |
0 |
0 |
Dumping Process via Sqldumper.exe |
Kirill Kiryanov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b8953b2fd9eedf5150cb430ec88f3653045e82c553904a73f87423600b427bee |
0 |
0 |
Dumps Process Using tttracer.exe |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
1b2196c83bd73a6164882d3b22f19d200742a1d5541207b0e4b8684476e12ce2 |
0 |
0 |
Dupzom Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
38bcd0b136a2a67b8c4d5b7a13cd98cf8590d84aba9b380e944c2f8ba851554f |
0 |
0 |
Dupzom Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b68ad5ecfba8b9b44e110368c029c99324cfa21b478209746fa0fcc441e51659 |
0 |
0 |
EDR WMI Command Execution by Office Applications |
Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) |
Sigma Integrated Rule Set (GitHub) |
283d42c1fadd5e7b1d94efc708531703992e171a52b45eefe6e2eba61827fcdc |
0 |
0 |
ESXi Account Creation Via ESXCLI |
Cedric Maurugeon |
Sigma Integrated Rule Set (GitHub) |
204cde183073b63d4337cc1dcc27db716d89346fbbbc47289b869bc3656a3b6a |
0 |
0 |
ESXi Admin Permission Assigned To Account Via ESXCLI |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
45890ceb9a2b49c0355894816f144136fc7032c7b874d30176759a79834a7365 |
0 |
0 |
ESXi Network Configuration Discovery Via ESXCLI |
Cedric Maurugeon |
Sigma Integrated Rule Set (GitHub) |
b0e8f06db3021ce68f574d3e343b81846ac1a3e307b9b6871883e3effe996da8 |
0 |
0 |
ESXi Storage Information Discovery Via ESXCLI |
Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon |
Sigma Integrated Rule Set (GitHub) |
ec049bb28bdd441bef0b03adf09458b2bedf629b7d1f8211ce52b1bb08ddea2f |
0 |
0 |
ESXi Syslog Configuration Change Via ESXCLI |
Cedric Maurugeon |
Sigma Integrated Rule Set (GitHub) |
23eb4efca0a49a9be18859e916d295fc6950604b09895dec8bbd6f5cce7b6f48 |
0 |
0 |
ESXi System Information Discovery Via ESXCLI |
Cedric Maurugeon |
Sigma Integrated Rule Set (GitHub) |
78efdf1a1e343b365b9583afd16cdb164ba3e095ba0e0675828c85f7e2d7bbe6 |
0 |
0 |
ESXi VM Kill Via ESXCLI |
Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon |
Sigma Integrated Rule Set (GitHub) |
958dfce69baae04f7d2aed61952bebd60261014bc92209c800f67b3bcdfeaaed |
0 |
0 |
ESXi VM List Discovery Via ESXCLI |
Cedric Maurugeon |
Sigma Integrated Rule Set (GitHub) |
c0660184f15a0abf946856d7c6571b9b7de28877849a69a7740b80067f2bca10 |
0 |
0 |
ESXi VSAN Information Discovery Via ESXCLI |
Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon |
Sigma Integrated Rule Set (GitHub) |
9b55915f19475d2e1d8d25068d9606af51988181213faff8a6106513a05f94ad |
0 |
0 |
ETW Logging Disabled For SCM |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b25c9cdef72ebd81a0d1211a4769034192cd8c731778d8a88a1b327aac9b8b14 |
0 |
0 |
ETW Logging Disabled For rpcrt4.dll |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2e3038ae7bc47420e50f90cbb3decb3348aedcdda901f3ce021b9d2efa66be73 |
0 |
0 |
ETW Logging Disabled In .NET Processes - Registry |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
cc1b63adcbcba57ac6edb7913c2741cb0bee32fe4301f250ee4087ba643a654f |
0 |
0 |
ETW Logging Disabled In .NET Processes - Sysmon Registry |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
35fa58d3974ddf4be72ca9c5273ff5dfde7de065d8b27e4baef1189a9c10014d |
0 |
0 |
ETW Logging Tamper In .NET Processes |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
37c4f090dee0ead128c75a30b117563fd3376ddf2e4b622311b167c9a3b1ba18 |
0 |
0 |
Edit of .bash_profile and .bashrc |
Peter Matkovski |
Sigma Integrated Rule Set (GitHub) |
cebaa2668c1b09efe1fcc6d468abfb9aa15dbba4c6e04246ba9e9f0bf407dc65 |
0 |
0 |
Elevated System Shell Spawned From Uncommon Parent Location |
frack113, Tim Shelton (update fp) |
Sigma Integrated Rule Set (GitHub) |
83648f12e1fbafb647c78097387a8c931b169cd2e2dd475799f2a5239321ceec |
0 |
0 |
Elise Backdoor Activity |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7f1a0bd0e13fc71835ebb28c9bcd3329c320fbb38c22a6521ad2ec7afec74c71 |
0 |
0 |
Email Exifiltration Via Powershell |
Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea) |
Sigma Integrated Rule Set (GitHub) |
8e330ded37baad5e1a3a93c94c2b86b8531a5fd14a2c4f68770cfda9b37a3f64 |
0 |
0 |
Empire Monkey |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
23618eea142f67106fec1f2e49084b25abad9af9614fd101fae65a465fce36f6 |
0 |
0 |
Enable BPF Kprobes Tracing |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0237caeadcdd18c3a857e476d6ee87550336de43d2172a1a5a52b9f60d4d18e3 |
0 |
0 |
Enable Local Manifest Installation With Winget |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e0e156bbd124a1ed1462866c1a8f506b33f93f74cf0901c0e71c196c1e898add |
0 |
0 |
Enable Microsoft Dynamic Data Exchange |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4c77e232cdf4c22bbfa61c061d45db122b775ada7f113c1a871005f0314aeaa4 |
0 |
0 |
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
090a9379407c8096d3dc6fffa2e98c7b3f5682bd5b984f57f73900f4b7d12f1e |
0 |
0 |
Enabled User Right in AD to Control User Objects |
@neu5ron |
Sigma Integrated Rule Set (GitHub) |
5b7c1293fd9b0e601e332e3957086d1d0c6a06bfadd6c43e4270efb3277d3f29 |
0 |
0 |
Enabling RDP remotely using PsExec |
Ruslan Mikhalov, SOC Prime Team |
SOC Prime Threat Detection Marketplace |
a0da5ca640c0db1d98b306ba62d3da18bb15ee97be16ca41d672fe2e8ebec17c |
0 |
0 |
End User Consent |
Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' |
Sigma Integrated Rule Set (GitHub) |
9ba43faff7a4e2460922534c3ff380de37474d9aefeccb498b05be93c8f426b6 |
0 |
0 |
End User Consent Blocked |
Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' |
Sigma Integrated Rule Set (GitHub) |
b3d0cbc175e205c04b9ed5e69998bdad1f7d66c6d968e063895e2b907e13e15f |
0 |
0 |
Enumeration via the Global Catalog |
Chakib Gzenayi (@Chak092), Hosni Mribah |
Sigma Integrated Rule Set (GitHub) |
1305672c2572166a4d69a39b49ae88090a50a828e90fe74ecbcb764defc3658e |
0 |
0 |
Equation Group C2 Communication |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ec2be6d2ee05ce5b9bbe5fa0e0c88445206d45c31719b20f8b334b51509702ca |
0 |
0 |
Equation Group Indicators |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
214644f8f8defe22c479a808c315e0abeab487ba6453aea73b617671e82afc64 |
0 |
0 |
Evasion Base64 decode arguments in Powershell. (Possible APT29 activity) |
Roman Ranskyi |
SOC Prime Threat Detection Marketplace |
66bf1484dc26be16a812d0aad2d4ac6fb6a930d54d654fefdb5395f2f5bdd569 |
0 |
0 |
Evasive Azorult detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
bc6f9cb8f39b70734c26b70f509cd672b3173413fef65146e95364ccd778a60e |
0 |
0 |
Event Tracing(ETW) .NET Bypassing |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
6069c607c41cfbdf480184c91403313c4f458c82732ed81f1cff013d545756f6 |
0 |
0 |
Eventlog Cleared |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
21811843bfb7d3bd52d24ba751e69b943436736e36c5b88a3f0f5d4f80c042fd |
0 |
0 |
Eventlog Cleared |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
7ab84c6091a1b4ceb1d00bb8f3be32dcd111618b7e0b705f7a14f2696bd4527c |
0 |
0 |
Eventlog Cleared |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
897e81991ba93eae2ef049bec91493dcbc61908766ac3d56284ce87250a69aed |
0 |
0 |
Eventlog Cleared |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
eef34d2dd2c9264ef00f80ce3cee8c0b7232729bfb39f5f5258afc0701b750ba |
0 |
0 |
EvilNum APT Golden Chickens Deployment Via OCX Files |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c07dab99223af1d0dcc74e5419200d751c154be9bf5fb4f8817b718b80074034 |
0 |
0 |
Exchange Exploitation CVE-2021-28480 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8b0df83cd0067e8ec609c343855fdc202dc02e08333f53087a98ea20ae5a5b9a |
0 |
0 |
Exchange Exploitation Used by HAFNIUM |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fa61fa3a9e1eb0bec15a00e9a84860be9b60903bc1901454841437fa15d2b33e |
0 |
0 |
Exchange PowerShell Cmdlet History Deleted |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
628b268dfb27c23fa39874cbe14fa94c346995f129d19b10ce1254742aeb75dc |
0 |
0 |
Exchange PowerShell Snap-Ins Usage |
FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d6b23e65044f31aa0e870c30cfcb96f03b4e07207a6ee29c0ed9707981459b23 |
0 |
0 |
Exchange ProxyShell Pattern |
Florian Roth (Nextron Systems), Rich Warren |
Sigma Integrated Rule Set (GitHub) |
64bc18e376a29a7021c54cb9dd0360d271fdc492dfe549706a750fcce1c06b85 |
0 |
0 |
Exchange Set OabVirtualDirectory ExternalUrl Property |
Jose Rodriguez @Cyb3rPandaH |
Sigma Integrated Rule Set (GitHub) |
76f94274bd2a1a2e6fff0a84131b19b7a88097a0ecdf13f713b85cbe87821798 |
0 |
0 |
Exe Launched By ReflectiveLoader Dll |
Joe Security |
Joe Security Rule Set (GitHub) |
fb6e575b96ef105d7648f2fbb84e53c968901fc34652bf51317f8fa76685654f |
0 |
0 |
Executable from Webdav |
SOC Prime, Adam Swan |
Sigma Integrated Rule Set (GitHub) |
c5b9b720930832b94426c87d7d20296939a583d3a341561476b195402c712b66 |
0 |
0 |
Executable from Webdav - Zeek |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
39c77a2689a21b694239fd44d2ca79bd9fbdd010599631d811030596b2bb794d |
0 |
0 |
Execute Code with Pester.bat |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4c7cd76bbfcbeccd5a632e9635a2ba08c7f1b72ecfc3b734d01e3a46c75c1779 |
0 |
0 |
Execute Code with Pester.bat as Parent |
frack113, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
6b2bfdea0c20a8dacb06c81b30e897f413e348322ee29b59e850d162222888de |
0 |
0 |
Execute Files with Msdeploy.exe |
Beyu Denis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
01d30cac08cb23905f4eacf48a745712b09efd4d13ece8136df401f4fa5a9969 |
0 |
0 |
Execute From Alternate Data Streams |
frack113 |
Sigma Integrated Rule Set (GitHub) |
050886ba2f2b1f82f8131a47ce6b22fb2663a44155ba973da3477fde647c06a5 |
0 |
0 |
Execute MSDT Via Answer File |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
32e64e651f354b426dc717293affb14f8d8b7140ab2ebe000a3239f108926c6f |
0 |
0 |
Execute Pcwrun.EXE To Leverage Follina |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
07baec2ac5a4524c22bab6b241fefd2d5d163c23f6715c470efc21c28ba2d7f1 |
0 |
0 |
Execution DLL of Choice Using WAB.EXE |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
99b21cfd2dee5c20c4ee150c1f8ff725e843b680ad0362dc10682baf38dba493 |
0 |
0 |
Execution of Renamed PaExec |
Jason Lynch |
Sigma Integrated Rule Set (GitHub) |
bc6e1fabac9a6bb91d67a4a5439f899182862c791a4d2bb72fbaf27b552554d6 |
0 |
0 |
Execution via CL_Invocation.ps1 (2 Lines) |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
ceefb57442e71801749707909d69108b161f2d2e4a973242e7e2386648bee9b9 |
0 |
0 |
Execution via CL_Invocation.ps1 - Powershell |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
c162774264013dd3be5fe01db608c8cd43087fb90d8ec4a8371ec6c119f1fef0 |
0 |
0 |
Execution via CL_Mutexverifiers.ps1 |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
1394e1d2c663042f47108fb190ff989e13550eff19ce6db03ef09a0c5a92aaec |
0 |
0 |
Execution via CL_Mutexverifiers.ps1 |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
e0857d3351e317e009063a5853ed0234b65be28d6b94c9727a4473d4bd135d9c |
0 |
0 |
Execution via CL_Mutexverifiers.ps1 (2 Lines) |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
389839a4c3b9d52b701fe26dbe2f77f37e841fec35467860ced1accddf84b24d |
0 |
0 |
Execution via Diskshadow.exe |
Ivan Dyachkov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
1fc7c2d6af25fd4fb6af44ba89bae55555dbcfdcc31e586fd94298ac39ea011d |
0 |
0 |
Execution via MSSQL Xp_cmdshell Stored Procedure |
Tim Rauch |
Sigma Integrated Rule Set (GitHub) |
a5e738d9e67512fdb2a62724cacfb4c4b027f3ad9bde2a019d5f34632eb2ec1e |
0 |
0 |
Exploit Framework User Agent |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5568bf39e0e0778586bb12b9eec75fa632d667e59d9a2593a81fc3c1f92482df |
0 |
0 |
Exploit for CVE-2015-1641 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d3c02a535ea8c2ccc601d4d5317b74c2389350cbeffab45fe35634fb61351840 |
0 |
0 |
Exploit for CVE-2017-0261 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9931af355487f8ba552a4261f563cca37a36e808d77f2dbc3857687968010e3a |
0 |
0 |
Exploit for CVE-2017-8759 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9697bdf7c6b76b101974ea8a0feee97c4b309c7c74d5ccbf4e0c2b3a5e03f167 |
0 |
0 |
Exploitation Attempt Of CVE-2023-46214 Using Public POC Code |
Lars B. P. Frydenskov(Trifork Security) |
Sigma Integrated Rule Set (GitHub) |
27efb80f8a89252473f733f61fcd3ebedc775d348b8b87de388eceb60f7eb85a |
0 |
0 |
Exploitation Indicator Of CVE-2022-42475 |
Nasreddine Bencherchali (Nextron Systems), Nilaa Maharjan, Douglasrose75 |
Sigma Integrated Rule Set (GitHub) |
f73bf833ff143771d4662eea5480be331b547c0a0117e990146ce5b4fcc30582 |
0 |
0 |
Exploitation Indicators Of CVE-2023-20198 |
Lars B. P. Frydenskov (Trifork Security) |
Sigma Integrated Rule Set (GitHub) |
3126c0f4e536e6b26299c8b4202ef19198038e958a2b15f0c3a2bbf896c143c5 |
0 |
0 |
Exploitation of CVE-2021-26814 in Wazuh |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e9dbd9775b62ea76e1f299caeec38e889d5ade4d1b9f15f0125be4c6c34f6ed8 |
0 |
0 |
Exploited CVE-2020-10189 Zoho ManageEngine |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f85ce5948989e315c57d34da1951a85d6b29e1dd91e294fed17c4c5d2a65ca26 |
0 |
0 |
Exploiting CVE-2019-1388 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ca8e07ebb4a9e88b2988f1c2c1da442f21dd9e29212734cad87963436e07697a |
0 |
0 |
Exploiting SetupComplete.cmd CVE-2019-1378 |
Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
aaf4513bd87abe8d41992949584d6e69d734d9f68ef90eaa97be26b350d990c6 |
0 |
0 |
Exports Critical Registry Keys To a File |
Oddvar Moe, Sander Wiebing, oscd.community |
Sigma Integrated Rule Set (GitHub) |
dbe237db785de8531f797d5f0689f67cf0389152523f491db2c761f5888de930 |
0 |
0 |
External Disk Drive Or USB Storage Device Was Recognized By The System |
Keith Wright |
Sigma Integrated Rule Set (GitHub) |
69ec9de0dde4471e41ee7ac007a2e667bee45fc610f59477cfcd75bb72afdf6a |
0 |
0 |
External Facing ICS DNP3 |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
f91099b17f9d1bca0d4db4e5b0ad22f95649383e9cf2240cc0abc68540881418 |
0 |
0 |
External Proxy Detected (Overview Query) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
8871bb484e485ff18029d70ed25036cf72ae96f363232176d3f639f5ffc8c719 |
0 |
0 |
External Remote RDP Logon from Public IP |
Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) |
Sigma Integrated Rule Set (GitHub) |
49aec14518e31487cacf1b97c8d227e4485f822a6a30d04b3fac2c7c145dbc74 |
0 |
0 |
F5 BIG-IP iControl Rest API Command Execution - Proxy |
Nasreddine Bencherchali (Nextron Systems), Thurein Oo |
Sigma Integrated Rule Set (GitHub) |
b3055175d1d5554ed64d6193a00f3a1a8a841c31f778939473dc8ff1d3078d36 |
0 |
0 |
F5 BIG-IP iControl Rest API Command Execution - Webserver |
Nasreddine Bencherchali (Nextron Systems), Thurein Oo |
Sigma Integrated Rule Set (GitHub) |
6e6b09ec3aaaf909ff39e611ebb0d04042e76efa232ee6cdc8ccac29b2b0e7dc |
0 |
0 |
FASTCash 2.0 - North Korea's BeagleBoyz Robbing Banks |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
328842f9bf7293774dba7e98cfbc8dc38cc5c3bfd0b550b66f9f388d2364db6b |
0 |
0 |
FIN7's Backdoor "GRIFFON" |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
94db0c3a112be50fd02c2ff8b6bdb0ac37e92b752979f8c6f2e5563abe56be96 |
0 |
0 |
FIN7's Backdoor "GRIFFON" |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b76c81cee8f9040791d362bde9fa5c5ec808c3d2f0fce6f9f4a04448b9e10018 |
0 |
0 |
FORMBOOK Detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
4675166eaef352485a92c18a16d156904430c5c7735fd58dba24cf182c23d60e |
0 |
0 |
FORMBOOK Detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d8ca2edb73662b566eff75ea12702658de66707396e7bb7923a06ed5a3e3db3f |
0 |
0 |
FORMBOOK Detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
eeee8664c6a13d9135d1338a6561c8e98c8d43e7769fb1532912f88a85cfc98d |
0 |
0 |
Failed Authentications From Countries You Do Not Operate Out Of |
MikeDuddington, '@dudders1' |
Sigma Integrated Rule Set (GitHub) |
feb740756a11ff14f31480b827e32dc083967875e41284e0667b45ec7b99c7ca |
0 |
0 |
Failed DNS Zone Transfer |
Zach Mathis |
Sigma Integrated Rule Set (GitHub) |
f8136f791ce5eb598447408965d8611b56158bb3093f9bc217cf6ebb2d7b0e71 |
0 |
0 |
Failed Logins with Different Accounts from Single Source System |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
39c6740d7e5a4065ad484a47fdf900dac6ebb236a092d3a62ae08b42f997aaf4 |
0 |
0 |
Failed Logins with Different Accounts from Single Source System |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
96209abdf48c67f20055c6bff1def00f64467ff7b6241d0f81f46fb6dd9c45ce |
0 |
0 |
Failed Logins with Different Accounts from Single Source System |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
c205af7876e4586e4a5a6daf3886f1baa3df67852a520806aa99706ca5d30f1d |
0 |
0 |
Failed Logins with Different Accounts from Single Source System |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
ca722b22c08d09482ee7e905dc151bc4c635059ae6cca8d5e7319d79d75a939b |
0 |
0 |
Failed Logins with Different Accounts from Single Source System |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
da16f0c4a5327c930eada87193754d50bfcbe86ae02f2b346843be759f3bf068 |
0 |
0 |
Failed Logins with Different Accounts from Single Source System |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
e0dab5d045b0693435584647bbbacf51af451c35bf9073723e14ce5e9faa977a |
0 |
0 |
Failed Logon From Public IP |
NVISO |
Sigma Integrated Rule Set (GitHub) |
747bd73d4c017e43abc40ee62507a5889d075d5fde6a504c4d858fa2bcf544cf |
0 |
0 |
Failed MSExchange Transport Agent Installation |
Tobias Michalski (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4ffd23c451cedb770f7b27887ee3bedb3bd28836fcf3f1af17ddfcc02f42244f |
0 |
0 |
Failed Mounting of Hidden Share |
Fabian Franz |
Sigma Integrated Rule Set (GitHub) |
68bc17c47cc9a04e078b6e31872b2c345a9de4e688c0a560ab1aa1c3e4cc7539 |
0 |
0 |
Fax Service DLL Search Order Hijack |
NVISO |
Sigma Integrated Rule Set (GitHub) |
4bd3cd7f770c6c3ec6329529702f55c609cbd0c8220a36c08756e56a5eb0e553 |
0 |
0 |
File Creation Date Changed to Another Year |
frack113, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
df4fe2b0d851692a371bf0f348a05717c283887d556e2a095787e3269c007918 |
0 |
0 |
File Creation by Office Applications |
Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) |
Sigma Integrated Rule Set (GitHub) |
4c867f43073512dc59c123d57114baa298a7f696a87ca8842fba36f25783ba49 |
0 |
0 |
File Decryption Using Gpg4win |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7a501a63a13fd49900ce70f0d483c0fa5aa258d9dfafab2fad52035d5b40984f |
0 |
0 |
File Deletion |
Ömer Günal, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ca09f90f6791c066d3cb4ab07b1fbc4ed8bc75831b99eae0123b994db452cc63 |
0 |
0 |
File Download And Execution Via IEExec.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b6040efbd7812c47c4f940044893d325b6ecd7c971385b21b9937eac64f2be90 |
0 |
0 |
File Download From IP Based URL Via CertOC.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5e2f9ffcd83c0b9db77da4dea2a15a3e41d342e25f1559f0ef4502a3c223ab43 |
0 |
0 |
File Download Using Notepad++ GUP Utility |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4f6f22cfbe19700db9a0857a1dd2fe09c0e4321d053a4a118de23151e93ca3af |
0 |
0 |
File Download Using ProtocolHandler.exe |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b886d124810a581d5017eaa5d5eb0d9d6835919fc18f7f9b4c5939e0fba81825 |
0 |
0 |
File Download via CertOC.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dded781163ffb42cdc17dab5b8d39a5043a3cc4a4fb4d5d55590e35f10472571 |
0 |
0 |
File Encryption Using Gpg4win |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6e0e2268fa3eb3dc08edde73c48c3596f17a2b1662b983ff587375a5b75ea62d |
0 |
0 |
File Time Attribute Change - Linux |
Igor Fits, oscd.community |
Sigma Integrated Rule Set (GitHub) |
98a04cf3e09ed0fd0d955b1233d5da45cab63a5a2370ab7dc16a507783467e67 |
0 |
0 |
File Was Not Allowed To Run |
Pushkarev Dmitry |
Sigma Integrated Rule Set (GitHub) |
9a03b6952f3ce7ab37238d17b0e583d82c02641e1cd9add5995da0319dc8e27f |
0 |
0 |
File and Directory Discovery - Linux |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3d3b45d016905389c43a4a14252fb73bf6a6f29ca1d925f44b19ff52a9bc0571 |
0 |
0 |
File and Directory Discovery - MacOS |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
de61a9a6e51619752c9f8bf87bb41536abc4f6983711039dcef99b9732a26713 |
0 |
0 |
File or Folder Permissions Change |
Jakob Weinzettl, oscd.community |
Sigma Integrated Rule Set (GitHub) |
2aa85d50392d0c934bd643168b9d6106622e796b2f125ccbfdbc65beb9d9328d |
0 |
0 |
Files Dropped to Program Files by Non-Priviledged Process |
Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community |
Sigma Integrated Rule Set (GitHub) |
0dec80af16a1229c7c8b9478448b6a3fe7a1cd392768c3d11e0cc1d3f56ce89c |
0 |
0 |
FindPOS Banking Trojan (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b4f6a2934ee226030f077e9c78924c5b5a78d41ee66a0529dd426becc7b33ddd |
0 |
0 |
First Time Seen Remote Named Pipe |
Samir Bousseaden |
Sigma Integrated Rule Set (GitHub) |
8f55e684b93688b5ada963a92be16b72c1a0cfc3cb3de96dd117b81f4ca48353 |
0 |
0 |
First Time Seen Remote Named Pipe - Zeek |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
480a8350961bc4753587db029d2b4b67af4927083b258b8ac071d0dea69e5107 |
0 |
0 |
First Time Seen Remote Named Pipe - Zeek |
Samir Bousseaden, @neu5ron, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
6dfb9593c473f7b52b104c46e0f2ae974fd27365b3fef076729065c3ceb7336d |
0 |
0 |
Flash Player Update from Suspicious Location |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f98973bb4e1b72aebf2e59eaeb00827a358135f7260cf198ac43e31c7422e15b |
0 |
0 |
FlowCloud Registry Markers |
NVISO |
Sigma Integrated Rule Set (GitHub) |
ac4c45d3a4b76d63ba2158cb0a11df8d1e2733506cb845e78700108737b600ee |
0 |
0 |
FoggyWeb Backdoor DLL Loading |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
668c7b595f169cd509eb51c29bc594ff624919395214381e2eac4fa7ff9e94ac |
0 |
0 |
Folder Removed From Exploit Guard ProtectedFolders List - Registry |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
844e2d6b0a1d8c2344987f279782a4311585180ce7fe178b164a8267a982215e |
0 |
0 |
Format.com FileSystem LOLBIN |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9e9f93dcbdb926c3870d61f8a14fc94391072517d56855658b4592a4e886289c |
0 |
0 |
Formbook Process Creation |
Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
f260e0e6e3999276169e5a2b9378f676cfd85254be368003b2cd97e7d6b10e14 |
0 |
0 |
Fortinet CVE-2018-13379 Exploitation |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
48f4e640f9feb5bf31487a870784507ef5f7d38f22e9b62e9bbd954a197833ca |
0 |
0 |
Fortinet CVE-2021-22123 Exploitation |
Bhabesh Raj, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
c1c52f5ba98a73c39c7b7d859118c45a22218d1c92dbd128e54bcb34942092c7 |
0 |
0 |
Frat Trojan (Loader detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
ea1d6297c25d9b1788bf0e9bb1ef3fe785a4ced33855144d3102a01fd227049a |
0 |
0 |
Function Call From Undocumented COM Interface EditionUpgradeManager |
oscd.community, Dmitry Uchakin |
Sigma Integrated Rule Set (GitHub) |
87990351a4e0cbfe8406a67a021f9d9da456c915388fde098e654a87ba123617 |
0 |
0 |
GALLIUM Artefacts |
Tim Burrell |
Sigma Integrated Rule Set (GitHub) |
13e966f80ac9708db929626d50e35b4c614959c0d209d09425ff454546ad372a |
0 |
0 |
GALLIUM Artefacts |
Tim Burrell |
Sigma Integrated Rule Set (GitHub) |
4aa39f58ddd2f2f3bdd80a29f42c84ca2fe61a048fc8819faaff5df28a22b7db |
0 |
0 |
GALLIUM Artefacts |
Tim Burrell |
Sigma Integrated Rule Set (GitHub) |
54e36ba8fed69643d4a587cef4fddde07614258a1c1996ed0c958450ccadf258 |
0 |
0 |
GALLIUM Artefacts |
Tim Burrell |
Sigma Integrated Rule Set (GitHub) |
a28fbac5cff189dab10e229b3a0ae2e24b372d2b111d7262fd83043e661ef513 |
0 |
0 |
GALLIUM Artefacts |
Tim Burrell |
Sigma Integrated Rule Set (GitHub) |
a43dac5f26c85a94239a74415d13e774debdccd841db311740a5727d95a105bb |
0 |
0 |
GALLIUM Artefacts |
Tim Burrell |
Sigma Integrated Rule Set (GitHub) |
d1012f082becc4692509094f0b3f52f4bfff06a6a239d05da80ed461dad4a230 |
0 |
0 |
GALLIUM Artefacts - Builtin |
Tim Burrell |
Sigma Integrated Rule Set (GitHub) |
fc4bbb141d939f93ce4dba43aa3b43e635f4dda080c5e27ee58529a1563dab8e |
0 |
0 |
GALLIUM IOCs |
Tim Burrell |
Sigma Integrated Rule Set (GitHub) |
a850462e96a471d0210fd57a8d09b89aa9d484414bb317ed6f8dfba6bfee5d84 |
0 |
0 |
GCP Access Policy Deleted |
Bryan Lim |
Sigma Integrated Rule Set (GitHub) |
e572872e6eb3050c9db82455e71711d2df7eb1225c6fe6cd221b79d724593d9e |
0 |
0 |
GCP Break-glass Container Workload Deployed |
Bryan Lim |
Sigma Integrated Rule Set (GitHub) |
04c15ed05bf4f34d39c9e1b02fc99df0231f06a70ed3526d0257accf3c68108f |
0 |
0 |
GUI Input Capture - macOS |
remotephone, oscd.community |
Sigma Integrated Rule Set (GitHub) |
e8a715c11ff2888a95d902af6f79e1e2aac74e027662e679bf2d24be5d33ec77 |
0 |
0 |
Gamaredon Group Behavior (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
0f97ccec7b149884820f61a172664b0ab480111696291696cb4b3e7ae011c34f |
0 |
0 |
GatherNetworkInfo.VBS Reconnaissance Script Output |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5f1aa9107847a653b477de036cd6fe4554fefaece9391933190ae26efa11b974 |
0 |
0 |
Geofenced Ru |
Joe Security |
Joe Security Rule Set (GitHub) |
562da91a76462659002a010f3f5e20f6ea8d3c7771e342dce7b3d0b5b2421eb8 |
0 |
0 |
Get antivirus details via WMIC query |
Joe Security |
Joe Security Rule Set (GitHub) |
6e2720fef4d33bcf8ad643d1ff91ff392e3afc91ad4446024cf5a4dfa46685aa |
0 |
0 |
Github Delete Action Invoked |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
2393e46daab9f09031e88196f68613af866a9ca1aa3fd0ad64df7a1b8c6ef250 |
0 |
0 |
Github High Risk Configuration Disabled |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
9060774ab189fbb7714c52f872af3eccc8401149cddd1a1fdd476025560771f2 |
0 |
0 |
Github New Secret Created |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
96a8d14b1f85567a30ecce1ed8fc5f5fadde8b645e14ad8d3fd20faa71b9cacb |
0 |
0 |
Github Outside Collaborator Detected |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
61f3b704053032dfbd12b0550e20b30a1e52c176782ce45c9e97b07d051d3356 |
0 |
0 |
Github Push Protection Bypass Detected |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
bffdbefd4df124a9762cc97d6c4cfacdaf6de0e7698d4437ac154cb34181b482 |
0 |
0 |
Github Push Protection Disabled |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
e43bef8a91112c70cb37e124cc46737803f9e6385431efa9c1cdf45276053ef2 |
0 |
0 |
Github Secret Scanning Feature Disabled |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
e170a27e21f0d7a68dcc419d09f2dda220ee052875edc19bb09ae9ae272821e1 |
0 |
0 |
Github Self Hosted Runner Changes Detected |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
91f38ae169a00a9b9830f37c3fa50eda9d6fc217915d9bdc4a459c459271f975 |
0 |
0 |
Glupteba malware detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
7d6a15e8de84af0efc173edd7fc1d08b2c8d250be90a41056ded2b99d918271c |
0 |
0 |
GoToAssist Temporary Installation Artefact |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4275bccc48045a2afcc6bf9a3951c7e3af2c2408a4caa5374a42604084bf5886 |
0 |
0 |
GoldenHelper Behavior (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
85d7d4821cc1ccf999a9455b3045c5778b716b7140209df1e1293db41bbc0bea |
0 |
0 |
Goofy Guineapig Backdoor Potential C2 Communication |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
221d8ea063304e5fe1c7eec941ecc45a755346e1347f4650f38c494abdf34630 |
0 |
0 |
Goofy Guineapig Backdoor Service Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
41d5bda45fc2273a0463327357488936070b64ec52567420b93293a5256434fb |
0 |
0 |
Google Cloud DNS Zone Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
4e9fe08e5c9be680bfaf33cddcd1081cd3aba686ce5077b1cd0b5856663dbe0e |
0 |
0 |
Google Cloud Firewall Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
75e61beb3d99547100af121b2ea1688aa808d3688450d44d493780d2cc802900 |
0 |
0 |
Google Cloud Kubernetes Admission Controller |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
5790f7e831d8a6bc3ca5c218539243db16d6289b537af31c00d082fe78ed2c01 |
0 |
0 |
Google Cloud Kubernetes CronJob |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
06da8a78620eee29e603c816960eae96dcb6ef22786be2395c7c89a4483be9c6 |
0 |
0 |
Google Cloud Kubernetes RoleBinding |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
555a6561c2563b49ce91769c6ac3f56617339b3b8813f72c9fa1bd32ec71f74e |
0 |
0 |
Google Cloud Kubernetes Secrets Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
6ee389129056d76efea184ded09eba9cf1c324f400b3d0d50b87786d565d0e03 |
0 |
0 |
Google Cloud Re-identifies Sensitive Information |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
ddff51832fbd0426593249f7816c2949713da15d8f5f43d7bf73dbe4402ba1c3 |
0 |
0 |
Google Cloud SQL Database Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
a916fae3b74465ca20244fcbd2427d10e602ebd5bd23e20c830516535a652466 |
0 |
0 |
Google Cloud Service Account Disabled or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
5162849b0852d05e10e767dcf89c82633c89592c636df59cea0c8d66143fef63 |
0 |
0 |
Google Cloud Service Account Modified |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
26b1499ccf7a72e494ae575cfa25674e193d0d80f0ee981977d65e518bf7575f |
0 |
0 |
Google Cloud Storage Buckets Enumeration |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
f5a9b68010504eff3ab69d1406d28ce83a81c9b2399b5424d60221ca6c707c08 |
0 |
0 |
Google Cloud Storage Buckets Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
432ac1fb76a98caf7e4c2c36dc767867c71c8241b3abb88c238e09dd1dd6eb52 |
0 |
0 |
Google Cloud VPN Tunnel Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
1ec92cc5b58c4d0aba97c210716e4f4a0e3bc4148bac041b47e830680b25de8d |
0 |
0 |
Google Full Network Traffic Packet Capture |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
11db866a2c986c2622afc6b4e18e39a469b925ba219af228e1b93928526e7317 |
0 |
0 |
Google Workspace Application Access Level Modified |
Bryan Lim |
Sigma Integrated Rule Set (GitHub) |
6dae7c95a6c818754ee8289f9c731df89fa58d1c57b5cfeb8ebe324662394881 |
0 |
0 |
Google Workspace Application Removed |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
7aad3ceec393171e628be57ad1507a50aaa34f68bfa8af505481b9406de81834 |
0 |
0 |
Google Workspace Granted Domain API Access |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
7447e9cdd0e5729172c1c9f7143faf9ada51a1e939eb6100d7066e46913117c5 |
0 |
0 |
Google Workspace MFA Disabled |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
a6f7ea87e017ce01123928b2e8c2bee1808d90c322c0fe3f8660c929ed149b5d |
0 |
0 |
Google Workspace Role Modified or Deleted |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
a941017b4f691cb4487bac97de7b0d0a9649ffd6b3f402774dde963b3e3ecdaa |
0 |
0 |
Google Workspace Role Privilege Deleted |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
9eb6ba62c47e14ada70fa08f7edc5aeb9118c433612b3feba5a7ce44fc77a909 |
0 |
0 |
Google Workspace User Granted Admin Privileges |
Austin Songer |
Sigma Integrated Rule Set (GitHub) |
107b17aa4a3574e6f295747881192bc95a741ad7258df4c3d1abeb9bcd9031d5 |
0 |
0 |
Gpscript Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
45153582f129faf9609ad25ea3a78eaa40fbe940f22dea7bed5c95cda5690274 |
0 |
0 |
Grafana Path Traversal Exploitation CVE-2021-43798 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e5ef12864d0d0ecf036674826506d6184e1b067e991808aa0e1ff455c7ac0dcd |
0 |
0 |
GrandSteal Malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
4f31c3fa158f312c5152f83df386b1fb92e53b215040fb3ae268cbb215e31429 |
0 |
0 |
Grandoreiro banking trojan |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
43c3cf1aec99bd2e109fd3867cd77e17e8a24f54da3251b30dd592cf83272b56 |
0 |
0 |
Granting Of Permissions To An Account |
sawwinnnaung |
Sigma Integrated Rule Set (GitHub) |
2c4ab12457b78f88ac5191037416703011e6de4aa39693b09e20823de2f0f42f |
0 |
0 |
Griffon Malware Attack Pattern |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fb04ae1086b0cffb1e38657aa6a4e604a568498622ef2377f8748cf52d2897be |
0 |
0 |
Guacamole Two Users Sharing Session Anomaly |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
17fc2e35d07c0b3986643b473df8b54cf3371854ed30f7d65fe415a944ba6961 |
0 |
0 |
Guest Account Enabled Via Sysadminctl |
Sohan G (D4rkCiph3r) |
Sigma Integrated Rule Set (GitHub) |
836f4e53e8279f1027fc598ba6a8963ba1a675e9ba8028fa77f9f8a16fe75499 |
0 |
0 |
Guest User Invited By Non Approved Inviters |
Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' |
Sigma Integrated Rule Set (GitHub) |
a6d1a27258a4f9bd7fe6be079c7ae0dd1e173a04375cbd8db203cb59a73084d9 |
0 |
0 |
Guest Users Invited To Tenant By Non Approved Inviters |
MikeDuddington, '@dudders1' |
Sigma Integrated Rule Set (GitHub) |
89b61ac9a2defb622e714dbe29d0a4a21419a634018ab9cf31c1307c3148ef32 |
0 |
0 |
Guildma detection (sysmon and cmdline) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
1e6ac5cb97a765bdc2b15c1ca55ec978b04d9511ddba2126304966bde1b17fde |
0 |
0 |
Guildma detection (sysmon and cmdline) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
3394ac20f81b6dbd77a611e1dfd1c52794b199583960710ebc28c01bae3a27a4 |
0 |
0 |
Guildma detection (sysmon and cmdline) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
667f076dcfacae04c8fada9e9046abae794a581bd995ec39a741752bd4fadfb4 |
0 |
0 |
HAFNIUM Exchange Exploitation Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a53120d1ec17fbf608c6da8cb88f544b76206e830dd4ec17155f718bf5851d0f |
0 |
0 |
HTTP POST or PUT URI Non ASCII Character |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
c4ee6e518d8bece54b732fc5a27bd8515ed478d3f31681891fab56111b6ca18f |
0 |
0 |
HTTP Request With Empty User Agent |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
db3df2f3bab9e0691c10d2f198c0eed1ea877206a8230962360652fa37013d1e |
0 |
0 |
Hack Tool User Agent |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9645aaedf8ece3691433afeb39dfddf3048958fa600acc234a56f522b4f41b8e |
0 |
0 |
HackTool - ADCSPwn Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
945059b9924f612aec04c225310cee7009f0951805322568a62ebbefb71e63b0 |
0 |
0 |
HackTool - BabyShark Agent Default URL Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
65fc9733e96d5061d9c0158d5e935ee4fb89c6a3d5981ed3e2ee6eba8d7931bc |
0 |
0 |
HackTool - CobaltStrike BOF Injection Pattern |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e1f2db3ffec989759e5467440cde906de0dd4aa563b137379e91daed32103267 |
0 |
0 |
HackTool - CobaltStrike Malleable Profile Patterns - Proxy |
Markus Neis, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1ac8214130ee6892f0f972ca17f84291d8a508e920ffe27c46a0b4a746cee622 |
0 |
0 |
HackTool - CoercedPotato Named Pipe Creation |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ab5e3f496e3b74fa0ec5c3bf3146a05070e9b6df7fe3f7d84271fd418d67741a |
0 |
0 |
HackTool - CrackMapExec Process Patterns |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4d3671d81efce4856adaf6c7f15a83dc288ad1d46f99f88f75626af323c6003c |
0 |
0 |
HackTool - Credential Dumping Tools Named Pipe Created |
Teymur Kheirkhabarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
9eed77c2ef05fafded05e61ec71d8bdd695696543061ef8b84fca37d1606484e |
0 |
0 |
HackTool - DInjector PowerShell Cradle Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
10bbdc113d1dc5813708dd95928a8d1a38b22ab4b85bc027daaf8ac7aae65c9b |
0 |
0 |
HackTool - Default PowerSploit/Empire Scheduled Task Creation |
Markus Neis, @Karneades |
Sigma Integrated Rule Set (GitHub) |
40b130caca0f58482d7bae973cb51c3d6c7a02a91a7f448a1c19eb96333f5a10 |
0 |
0 |
HackTool - DiagTrackEoP Default Named Pipe |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a64d5075ca8a68f98e37b952659116501a5fca9bdfa256bec6ee04447d1726b8 |
0 |
0 |
HackTool - EDRSilencer Execution - Filter Added |
Thodoris Polyzos (@SmoothDeploy) |
Sigma Integrated Rule Set (GitHub) |
0a28891154bee6a4bc8a1bc98a35fd1894e9490e988b8278c52b365f6849e5fc |
0 |
0 |
HackTool - EfsPotato Named Pipe Creation |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
33bbc287fcdff32099d907d122b96db06214e7ef12bdbe38cc574df4fbcd94ff |
0 |
0 |
HackTool - Empire PowerShell UAC Bypass |
Ecco |
Sigma Integrated Rule Set (GitHub) |
82469a7e6790faf9f415ad43cdf63ae3c4665bc5c9336e489f310de170797ea9 |
0 |
0 |
HackTool - Empire UserAgent URI Combo |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2f9a27d9a32a1db53d0ad914de9cc96ab6822811498c2464c72d7ac1ae5ea6c8 |
0 |
0 |
HackTool - F-Secure C3 Load by Rundll32 |
Alfie Champion (ajpc500) |
Sigma Integrated Rule Set (GitHub) |
ca26332fee8f2e589029cf0e8f2b212bae02121915a9cc3a2cefe4c1a96419c1 |
0 |
0 |
HackTool - HandleKatz Duplicating LSASS Handle |
Bhabesh Raj (rule), @thefLinkk |
Sigma Integrated Rule Set (GitHub) |
574231f662f39e1a462346540302573f5eff2cb0b05a9343ce362547a729bb8c |
0 |
0 |
HackTool - HandleKatz LSASS Dumper Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8271f85045f41986bde13394d9c0e7f7b1c1f3fc4a5081917fab66e6910de138 |
0 |
0 |
HackTool - Hydra Password Bruteforce Execution |
Vasiliy Burov |
Sigma Integrated Rule Set (GitHub) |
5f85313e54e037d0a06c79adac1b8bd95bf5684edfe87bb3f3f272501e30ece0 |
0 |
0 |
HackTool - Koh Default Named Pipe |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
842f5fc58659b2e818a0949c0efb8e6c8107aad092d5c33548e4ae9ca5e8b5e2 |
0 |
0 |
HackTool - LittleCorporal Generated Maldoc Injection |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f10b695dfd304615f49826a39fd11fb539271f8272a9a80be8f070a758f8f025 |
0 |
0 |
HackTool - NoFilter Execution |
Stamatis Chatzimangou (st0pp3r) |
Sigma Integrated Rule Set (GitHub) |
83c1fee5d3f0a30333e726ee57260e50c629c03c36a1e6cfbb905861f9aa9cdc |
0 |
0 |
HackTool - Potential Impacket Lateral Movement Activity |
Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch |
Sigma Integrated Rule Set (GitHub) |
3d5ac2209c46a9cb869f82a51ef7ec32954bc3ca32fe710929ac41137e9f7957 |
0 |
0 |
HackTool - Pypykatz Credentials Dumping Activity |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e9fa03c18cdfe5568dbbe75862d4ab693fba40025a197a2021d576f54e3eaf76 |
0 |
0 |
HackTool - RedMimicry Winnti Playbook Execution |
Alexander Rausch |
Sigma Integrated Rule Set (GitHub) |
2c7173d7fd6c440ff57e03f67e736353c0d299567579d74292ce79ddb87df5b7 |
0 |
0 |
HackTool - SILENTTRINITY Stager DLL Load |
Aleksey Potapov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
982e0890a488328656147907a9d7da438f6a9b5f133b90417b42dd585d158a15 |
0 |
0 |
HackTool - SILENTTRINITY Stager Execution |
Aleksey Potapov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d6d031ceeda5d6a3d7194bd6ec4d67e5ffb9cc743448939fdf278463bdd3e686 |
0 |
0 |
HackTool - SharpEvtMute DLL Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
088c5e93a6fc8d47e8aefb1c8a6ec0a9121dc88b06d12d5afc5d1fce763d7976 |
0 |
0 |
HackTool - SharpLDAPmonitor Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e45b16fd030f52e69c512e3570de6d000efb8a0e03c4073637e04aa773354410 |
0 |
0 |
HackTool - SharpLdapWhoami Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4d8c1119b99b2be0533b5c4e1874458c9062d923070ac945a5c5a33dde33f486 |
0 |
0 |
HackTool - SysmonEnte Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d76fa45ff73052fe0c5306fe21e260c983e615a85c7e7f60c649361b1829b09a |
0 |
0 |
HackTool - WinRM Access Via Evil-WinRM |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5ad71f4134dddf8bef6aed44120ca9d774108b3c4e8b7e322ca38e989a8cf176 |
0 |
0 |
HackTool - Wmiexec Default Powershell Command |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0dd0031606f0639c042c9ad5ddc567446c4ded763ddee51e079179231c557209 |
0 |
0 |
HackTool Service Registration or Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3057e0a4efcaf39794e0b634e3b7516983648b9fd483da5f9f735a5c5e61d415 |
0 |
0 |
Hacktool Ruler |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cd304d70f67c3d14033f831971d45bee3264cc411ea28209db2f6d148ea9f2f6 |
0 |
0 |
HawkEye malware - Coronavirus scam (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
06789be682ab6cf58699c03653b66c7f9299038c2c44e967e3c68a2e40fdbbdc |
0 |
0 |
HawkEye malware - Coronavirus scam (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b7f993191f989d1f86bba4825f6e96a7c27e80b1bcdbf6ed6478ae89239222eb |
0 |
0 |
Hermetic Wiper TG Process Patterns |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c8367923eee3d294cbbb06eeceb57cbe0b7a0614928e3e45a857da496c12a7ae |
0 |
0 |
Hidden Files and Directories |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
6c95803fd57ca93faa4a13a1be90825b893e3d84ac45ca8c70e80cf1574d4028 |
0 |
0 |
Hidden Tear Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b11fac69696a228f0a15679f595df7b336dde8d11522e2dfdd9e1004aacf5721 |
0 |
0 |
Hidden Tear Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e2c2e16d85599543e91b4dc9d25bd09e1b1ba61cafa1810a31073a40c91da39e |
0 |
0 |
Hide copy and delete itself |
Joe Security |
Joe Security Rule Set (GitHub) |
e491fecd17c16aecfb3b5ac96288fcdcf7c8ec061a8b1649da4e907b511f1208 |
0 |
0 |
High DNS Bytes Out |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
2bc3d95bf98633de61ea95a005c1b04db78ea390377ce363fc04a09d20374cde |
0 |
0 |
High DNS Bytes Out |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4e81552b913384840b8f3b631ab5be105841ff6a829f1a496fd1e3e13effafba |
0 |
0 |
High DNS Bytes Out |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
5d26dba8fce23cc9f2e893e61faa96cbbae4bce1e530e4154294172451e4a1b1 |
0 |
0 |
High DNS Bytes Out |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a958051334fc197d28be902cc93f3d866e1ca9a16f90a70f21bd60a2f47fbc29 |
0 |
0 |
High DNS Bytes Out |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
db7861630c3853feeea696d711f739104df19b415fd9ba6c1a8fec46002a8fbf |
0 |
0 |
High DNS Requests Rate |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
16b85da18d9082b3b4511ae7d959fbf89409bb88f17d708af4f48b0a422adefb |
0 |
0 |
High DNS Requests Rate |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
2082aad99bb35c4089a7d806951cf7090bca3bdeb0a052f761dc38d878e58c57 |
0 |
0 |
High DNS Requests Rate |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4d753950eaec7ac9fc0b84352b52a7d1e44cd4806bded593087c93032ce8e29a |
0 |
0 |
High DNS Requests Rate |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
888de5606c7898a641ac0f06071d731769cd6a0c2a8638b9bd65e4c7832b4a8c |
0 |
0 |
High DNS Requests Rate |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
fb55eac70ca85e41bd6aedae03e77e21466cde4d3e05bdccc80080c9df288d8f |
0 |
0 |
High NULL Records Requests Rate |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
85891d3694d60dcdc316d135514866fe396add3b76b77fb7cb7757ce6012957c |
0 |
0 |
High TXT Records Requests Rate |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
27156cd3bf11019c9f610f2ca55106a23d64717f78b7db1730a6b20daae7fc23 |
0 |
0 |
Hiloti Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
66ff25e9989ce9c10959062d94b9a42964f9a4b9a8fd8a2d4ac868a68139315b |
0 |
0 |
Hiloti Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
6bb0fcaf34349cee860ba3a315fdc7aed5aa00d66dcf54cae167073a246cf851 |
0 |
0 |
HiveRAT detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
030121281d0e4b69a504d82c281cb7406b2d3e2fd7ff8497648ea7198ce49781 |
0 |
0 |
HiveRAT detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
1542db80b3c0353f1a027f7ddd3b1a2980335d4ef03fae03a4f951743f67648e |
0 |
0 |
HiveRAT detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
bfa9006c02a3c62043c1bd4c10f77dd29fc786bc22855e00928082034c4307cc |
0 |
0 |
Host Without Firewall |
Alexandr Yampolskyi, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
b27d91650a86f43d59ca651fec4af5b7b4a87e4b4d5b89b819a3aa69c312b60e |
0 |
0 |
Huawei BGP Authentication Failures |
Tim Brown |
Sigma Integrated Rule Set (GitHub) |
be7ac6e767527eca7b2258278be7bdc4efc00f5c296740a197b7ca7ce099f0ee |
0 |
0 |
Hurricane Panda Activity |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
0595fd00a8b7a34a40b618e9649d81ef7256ae0a3b3ceefe70821decfce1feb7 |
0 |
0 |
HybridConnectionManager Service Installation |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
517263a8c15fed9ded106be882b2ec39dde9a02250421088d9b2a222e1516406 |
0 |
0 |
HybridConnectionManager Service Running |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
711a6c8a033fd8cc45c82ea8fdd9a7b6f95b70c88e157d2d67579ce7dff11b76 |
0 |
0 |
IIS Native-Code Module Command Line Installation |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cc3ea4eefe5144350cce95a37a83b5a54cb1c3588b6a08901eb81ce60a358d20 |
0 |
0 |
IIS WebServer Access Logs Deleted |
Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2bdd5fc78153ede4a985b002b6ea2531d1354c62ac4f2e9818ca322fc5f79a71 |
0 |
0 |
ISO File Created Within Temp Folders |
@sam0x90 |
Sigma Integrated Rule Set (GitHub) |
8c28faacb89d5c3cbd177e6768102f76073d1af8ab937c6c782b8160a9790f51 |
0 |
0 |
ISO Image Mounted |
Syed Hasan (@syedhasan009) |
Sigma Integrated Rule Set (GitHub) |
e6b3709b80b265ad0fed3cb1ec046dc0b3dfa6eba361f593c53333b71c662136 |
0 |
0 |
IcedID Downloader |
Joe Security |
Joe Security Rule Set (GitHub) |
967066367d1b4b6d60bdc3bb6c06da99df284842490e627971ffc36d72138e44 |
0 |
0 |
IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b6842d649ac9e8d7845bb2486a1935fc49c1697141a58b27bd823145877d9243 |
0 |
0 |
Impacket PsExec Execution |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
3f02ed054f271ff6065ad30572fa0e95c2bd16820da55d1ad40d10e8fafd0eca |
0 |
0 |
Import LDAP Data Interchange Format File Via Ldifde.EXE |
@gott_cyber |
Sigma Integrated Rule Set (GitHub) |
4895f0d6f0337794cd64b63d68f316d2ed34403f092d4a1b8b7c8a07d10bb0a2 |
0 |
0 |
Import PowerShell Modules From Suspicious Directories - ProcCreation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3636d6960a4fdaa247a9229c6977343b5935aaecdb369c47b5d06a5ccf8edd9a |
0 |
0 |
Important Scheduled Task Deleted |
frack113 |
Sigma Integrated Rule Set (GitHub) |
ced7d7ecea464da8a488c81ba6cd1c7f6c4456f43c031be05fca12ec47619c82 |
0 |
0 |
Important Scheduled Task Deleted/Disabled |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
37d960245680a83696c37572fed47a760ac9f35e3d7f7384d84013ddb80ee6d2 |
0 |
0 |
Important Windows Event Auditing Disabled |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
edadad8f74e960e4e4346a92c4fbd62433e86a86aaf6075226454180e5ba37ce |
0 |
0 |
Important Windows Eventlog Cleared |
Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d2b78f97575e285485f323f331b7e24d482365d4a529def31a351c4d9e11c7c4 |
0 |
0 |
Important Windows Service Terminated Unexpectedly |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
46a808aeb4d234e65bb076ffefe72a0a9e2c18011ffb83e1116965b8b8403fb1 |
0 |
0 |
Important Windows Service Terminated With Error |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3ee70a48b21b9af9ef284435a98e6bda46175802c92002d2431729c7238694e3 |
0 |
0 |
Impossible Travel |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
0b79acea2d3442c85023d0bab300d9e1159fd611b0c6ab96619ebd6dc7ede589 |
0 |
0 |
Increased Failed Authentications Of Any Type |
Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' |
Sigma Integrated Rule Set (GitHub) |
b903a8d9dd8b43b85cbd8c2467eb5723ff3cba5be621a5ab5bb5e0deff92f304 |
0 |
0 |
Indirect Command Execution |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
Sigma Integrated Rule Set (GitHub) |
949493fff309832e61eefbc1517c38dc21116f3e97310be0dfd27ee7544382e1 |
0 |
0 |
Insecure Proxy/DOH Transfer Via Curl.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
898a6c63c0232e151811e296ca93ef77ed035a4c7ac8c63ff500ec2bc5c756ce |
0 |
0 |
Install New Package Via Winget Local Manifest |
Sreeman, Florian Roth (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
12f03e6b0e193a0311b8fdfe379fc617a6b5ec4b6afd3fa4e2f8b3f1eb8774e8 |
0 |
0 |
InstallerFileTakeOver LPE CVE-2021-41379 File Create Event |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b0c213591ac3b9d67559c62e06f44e984fa9cccd8eadc7126488916b8f112271 |
0 |
0 |
Interactive Bash Suspicious Children |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
307bbe63ed2d150b908b15872d2d0d219c8352a56dd41050e8e410a8d2e45ddc |
0 |
0 |
Interactive Logon to Server Systems |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
287dcb23b97461c15bc628626d410d7134857f2a8a73b5867709120813e47c17 |
0 |
0 |
Invalid PIM License |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
4fc936c9241641df392c8906580d670a9367d1bb2d0544daf8f6694c6f36d526 |
0 |
0 |
Invalid Users Failing To Authenticate From Single Source Using NTLM |
Mauricio Velazco |
Sigma Integrated Rule Set (GitHub) |
bd35715e77f17842c47f4bd45fb125c2aee1c533dadb3de025a01b53ccdc7464 |
0 |
0 |
Invalid Users Failing To Authenticate From Source Using Kerberos |
Mauricio Velazco, frack113 |
Sigma Integrated Rule Set (GitHub) |
24e430c06c4928d27c8c23097b69829139af8fce404dbe51f3b1a45cfe4c963d |
0 |
0 |
Invoke-Obfuscation CLIP+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
55d070128f8d768c5650c81c573dcfbad37b719f2e5b4c2e508c2a7fde28c9ba |
0 |
0 |
Invoke-Obfuscation CLIP+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
66ae2d866adeac92a15a12e31d3a3be37036f330111ae0f3fe3b7c895374ede1 |
0 |
0 |
Invoke-Obfuscation CLIP+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
66f7192930e6691d3b4ee72b4a6351242a104911c34cc2e563539db593bf6bc5 |
0 |
0 |
Invoke-Obfuscation CLIP+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a4095d2245c467d53d473d6f0b5664e6043544a19c73bd87d555a5316ada37e7 |
0 |
0 |
Invoke-Obfuscation CLIP+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
dd967df044da70a0ce8e3d0766de79d0c1392ca968e6c1f2755dc95b76062a7d |
0 |
0 |
Invoke-Obfuscation CLIP+ Launcher - PowerShell |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d9fcc5b01474c94f013105b532ce885ebb7d8cedac210ff18bb921bd350afa1f |
0 |
0 |
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
61b487de335dac84b1a9bbd3816d5111cabce315463c02cb2953344caca3cd95 |
0 |
0 |
Invoke-Obfuscation CLIP+ Launcher - Security |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
07b20a8191672f390880af0dfccb1dcb42df51d9b0e0e5b4f4a34ae2636c385a |
0 |
0 |
Invoke-Obfuscation CLIP+ Launcher - System |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
bc4b79447cdefa2382da736b3a63a3ce5a01a6400ed11820db5ee38b981e2e34 |
0 |
0 |
Invoke-Obfuscation COMPRESS OBFUSCATION |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
23d33c003cb0a2893d558ec9fc1f759265b5200122f0155a81fd6da5eda7cb4a |
0 |
0 |
Invoke-Obfuscation COMPRESS OBFUSCATION |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
2abb23702384c2980e4ffe0dd690fcd4ba17539c7c79c6718252778eab17fcc1 |
0 |
0 |
Invoke-Obfuscation COMPRESS OBFUSCATION |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
30afe98d3f1fe8511eb6a67ad5f0d954762e3ae473d2c53b390482613c6afe8e |
0 |
0 |
Invoke-Obfuscation COMPRESS OBFUSCATION |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b5835a1f1f607f7c9b2995761947f379ab9343ac06637ece5caf60435a682e6c |
0 |
0 |
Invoke-Obfuscation COMPRESS OBFUSCATION |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
f39f375a39ff602aaeb463af7e29f879cf1e2728e1bfd0ce46c68ce463d545c9 |
0 |
0 |
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
40db318f5624034dad47f954fe3a2bc47f2e09bc7d14e2311481d406665bde6a |
0 |
0 |
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
eacdd56ee69da6ba92a6f01f7d2cb4022f9ffb08eebd0a09a1e17012fc9f3307 |
0 |
0 |
Invoke-Obfuscation COMPRESS OBFUSCATION - Security |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
dc78b6b33628aead1fdeb14c4a18756a01373ea62b8d5462c0c12f0dc5dc8be0 |
0 |
0 |
Invoke-Obfuscation COMPRESS OBFUSCATION - System |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
bf865a7d8524d34ec2fcf366103b431319a364992070da49982bf7a6bf68fcd2 |
0 |
0 |
Invoke-Obfuscation Obfuscated IEX Invocation |
Daniel Bohannon (@Mandiant/@FireEye), oscd.community |
Sigma Integrated Rule Set (GitHub) |
02563551ca2b811c4f5ebea13242cffde0a8e5d1dbe9578a4e836117c3344457 |
0 |
0 |
Invoke-Obfuscation Obfuscated IEX Invocation |
Daniel Bohannon (@Mandiant/@FireEye), oscd.community |
Sigma Integrated Rule Set (GitHub) |
532d5adca424a8a32820d44f658dea5035219510229a38ea885eea469ae8f8a7 |
0 |
0 |
Invoke-Obfuscation Obfuscated IEX Invocation |
Daniel Bohannon (@Mandiant/@FireEye), oscd.community |
Sigma Integrated Rule Set (GitHub) |
6e2b0909c3266faf43a0917df01825825b4ad958d6cdaa0a45c9cfe53e15affa |
0 |
0 |
Invoke-Obfuscation Obfuscated IEX Invocation |
Daniel Bohannon (@Mandiant/@FireEye), oscd.community |
Sigma Integrated Rule Set (GitHub) |
7c97dec04489c3636dd72432f11eeb579854a1d03d55419bafb059e73e43dd4c |
0 |
0 |
Invoke-Obfuscation Obfuscated IEX Invocation |
Daniel Bohannon (@Mandiant/@FireEye), oscd.community |
Sigma Integrated Rule Set (GitHub) |
89b3cbec0ebda2750669f9b5831ae50fb9a2e58ba9d9ecb76d82c553dd9fbaed |
0 |
0 |
Invoke-Obfuscation Obfuscated IEX Invocation |
Daniel Bohannon (@Mandiant/@FireEye), oscd.community |
Sigma Integrated Rule Set (GitHub) |
978e8ef0c97aa415779127f1b750df3d71553c0ed2f593b7499f7213094b8a22 |
0 |
0 |
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module |
Daniel Bohannon (@Mandiant/@FireEye), oscd.community |
Sigma Integrated Rule Set (GitHub) |
6e503c48dbf119e0821aab4c7ebde353e0b781363fe0c88ac53e10fabedeeb33 |
0 |
0 |
Invoke-Obfuscation Obfuscated IEX Invocation - Security |
Daniel Bohannon (@Mandiant/@FireEye), oscd.community |
Sigma Integrated Rule Set (GitHub) |
229bed31b945cf52d288e09e87afafe82ddc418cc89ac78e4aa57bb1505f4e17 |
0 |
0 |
Invoke-Obfuscation Obfuscated IEX Invocation - System |
Daniel Bohannon (@Mandiant/@FireEye), oscd.community |
Sigma Integrated Rule Set (GitHub) |
778d34341a09f9942b6754b257881e32f43e5eb36c396c5a7bf385626994b6a3 |
0 |
0 |
Invoke-Obfuscation RUNDLL LAUNCHER |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
15e77f32f6ce577059ce2a023014f97f6166500fe342a790642abbb2d7524dd1 |
0 |
0 |
Invoke-Obfuscation RUNDLL LAUNCHER |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
5092dd88f643768409b7b033996ae9886f7916c352f876f58742e741c818de58 |
0 |
0 |
Invoke-Obfuscation RUNDLL LAUNCHER |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
513a8ffd6dffc7c0f80d19848150c2e0de524c7115a18106ba96a0d789b07e1e |
0 |
0 |
Invoke-Obfuscation RUNDLL LAUNCHER |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
669e0fa4f936ba08d94a0d94b4ff0a17a257f5b85f14a70e608f1804ef1226ef |
0 |
0 |
Invoke-Obfuscation RUNDLL LAUNCHER |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b81cfe0479a3286d77237d8297165880ec1fbe3652ad795ceb1abaa1eccb8d0f |
0 |
0 |
Invoke-Obfuscation RUNDLL LAUNCHER |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
f4b87782d8c00059afd020eed2b619da907273f77ea5c3ba678a81e4a369045e |
0 |
0 |
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
36d028c2bbec04da64cd22e6d7ade29f0485073c4f2a33748b660bc41add11c5 |
0 |
0 |
Invoke-Obfuscation RUNDLL LAUNCHER - Security |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d304bf8af334b938ef27fc29de6beeba9510de9abd801458029e2aad0a96a430 |
0 |
0 |
Invoke-Obfuscation RUNDLL LAUNCHER - System |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
013f9f3361dd5e5e166cef93640767e854c135731f7b10a6e86a582e2a3da454 |
0 |
0 |
Invoke-Obfuscation STDIN+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
33f26be0d86ded162f5f9983f8ccec7e33739e7d61ce1550a476f8d6d9fb1585 |
0 |
0 |
Invoke-Obfuscation STDIN+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3c63fdf3c3489825803565ebef9d7aa5574b069b7df909431ca0cd9bbfff1014 |
0 |
0 |
Invoke-Obfuscation STDIN+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
5a405d8959e0dbe9e8c85da1ee53bb94a514c82a1c85543bcde6cdb5fa6c8d81 |
0 |
0 |
Invoke-Obfuscation STDIN+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7c91efe9f8bcf7588b12461abfce94d9de990787f00ec01fdc0378b6d0ea5f7f |
0 |
0 |
Invoke-Obfuscation STDIN+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
f46e368df2720b7c679c6d8a7af787029a555248b2a687d244934f424619531f |
0 |
0 |
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a48b077866cf1527dd61081ba5998bcaeba2f75f76f2b644f786592b048ccc42 |
0 |
0 |
Invoke-Obfuscation STDIN+ Launcher - Security |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
21fb91a013d99fcb0a512f126e1db671d61521863baf20148369276f4ce90a79 |
0 |
0 |
Invoke-Obfuscation STDIN+ Launcher - System |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
e65f5089591863acc7d1b0724c258c83ed40c7f2ef5a4d11da364c316768c806 |
0 |
0 |
Invoke-Obfuscation VAR+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
37472617d726e65dc836731e68fa4b615e3453db5924b2ed694f6d42f3fa2e7c |
0 |
0 |
Invoke-Obfuscation VAR+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
785b999a59eeb49c52b8de6db77180b2f32a1c32f55c5a66124df629511ee71e |
0 |
0 |
Invoke-Obfuscation VAR+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
85c1b5321d15597e6d632e33d628537f69719336ffcaf3486716d44dc6a94690 |
0 |
0 |
Invoke-Obfuscation VAR+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
9fac765a1fc90df763e78970562f2ec88d72f5a1b755dc6922c9df6f6b3283a3 |
0 |
0 |
Invoke-Obfuscation VAR+ Launcher |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d5a5398fc7d4724a6543cb1b92710954d8f52105738cb1bd31d2db507b433082 |
0 |
0 |
Invoke-Obfuscation VAR+ Launcher - PowerShell |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
cf80a5797b65d0aae908c9fb7bdd2ffdf5cdbace0b8e61a02320a61266fddbce |
0 |
0 |
Invoke-Obfuscation VAR+ Launcher - PowerShell Module |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
f0ed779291914bc6744829d783902b1aa18afca33fcdce512a6e6dcec594b8fe |
0 |
0 |
Invoke-Obfuscation VAR+ Launcher - Security |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
9e447b626bcce83fc27a2087f918f28e255669c87d60b118fea3f35a6276ace9 |
0 |
0 |
Invoke-Obfuscation VAR+ Launcher - System |
Jonathan Cheong, oscd.community |
Sigma Integrated Rule Set (GitHub) |
46f308942e8413fc74d14eb28362c26efc33f463b1d70394188e9cc50989434c |
0 |
0 |
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
43fda3b4b26f2d722e172affac6a534e640b6f690827cb80f27eae7bf1121924 |
0 |
0 |
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
56d1f6c5dcbbe1fd4ecdb87028f432b123ac0cf5fe37a336f0ed6c34521f370a |
0 |
0 |
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b85a3806145ca2440f6e4328faea04b4694be6c4dfad9550ca882b91babed162 |
0 |
0 |
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b95438303858dee4a1b7686bca97ba3c32d14bde4bccb73cd0cce0decef9cb1c |
0 |
0 |
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
f80b47791783e7ca801863d05a76bb83fb2ae70b2dc9d18a13fd9db9172baf46 |
0 |
0 |
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ff49fb699dd54313f9d61a9bba7e0c0021f31cf6bbad67452754dffe5f1a87f2 |
0 |
0 |
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ac263989614ade79cd7024eb73729ba0d899416a4618b2b37f9fe886b6ae1ea6 |
0 |
0 |
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
23598265f485b73118223796eab6ef3d4710b6c7855ae76fe8ef5e3156537361 |
0 |
0 |
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
9b7f8d96a709f458ef164dd0c2b1c0bd21506b6a9292710e95e822b262716fc0 |
0 |
0 |
Invoke-Obfuscation Via Stdin |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
171e9c19da7073d50de0611f10f7fe49f18e33f0eb2271f1451e3122dd70da39 |
0 |
0 |
Invoke-Obfuscation Via Stdin |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4c4b43817f5f5dcaf3aadb0e508301e535f4809ca042fa2cec1ae56068e38683 |
0 |
0 |
Invoke-Obfuscation Via Stdin |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b3a5bd1f34b26d6c54d45604acabcec5814c2c266d0ab0547c722d22583b78e8 |
0 |
0 |
Invoke-Obfuscation Via Stdin |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
bba8cd2d0e60c82277d0117e4841b13ee087cacccbf6b9bdd7d3c83f0375582a |
0 |
0 |
Invoke-Obfuscation Via Stdin |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d9663bea4419d4e77af5748add1d59d90a3c136f0100ad05f55199c8b38636f0 |
0 |
0 |
Invoke-Obfuscation Via Stdin - PowerShell Module |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ea2300c5e8a8dfac7a21e289614c34963c361bffda74ba0ddba16af4c009a74c |
0 |
0 |
Invoke-Obfuscation Via Stdin - Powershell |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
e6338468914bbd534177587d16fde9881596bc9d1ac95c3a142e76a6d587e32c |
0 |
0 |
Invoke-Obfuscation Via Stdin - Security |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
5a9474f49eedd6f514e9f05bd95d3fde3747f03da5803a359962b76fe04d3dc0 |
0 |
0 |
Invoke-Obfuscation Via Stdin - System |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ca82d3c569666b788bdb9b704468045f733d45dac72cb22f0dc35242d6dd30ce |
0 |
0 |
Invoke-Obfuscation Via Use Clip |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0d70c217e51ad45cc6411546634b710d8a2bd8d7fe04cea155aa5a5274d4b8c1 |
0 |
0 |
Invoke-Obfuscation Via Use Clip |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
52417f5a914da422b1f4a12eae2a1fd94408538cc4aa1373f9a527d748628701 |
0 |
0 |
Invoke-Obfuscation Via Use Clip |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
62ac6078947c91fe388df8ac3354f7d5cab59710aa0d057148b72b409203a565 |
0 |
0 |
Invoke-Obfuscation Via Use Clip |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
f8caa5c28a6fabe724cbb68e6a4175a973edeb9f4a0caf001cd768f207c2da3c |
0 |
0 |
Invoke-Obfuscation Via Use Clip |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ff8bf7ea172d6967d31c7cd3833e156278c00c013da4bed9d4b45159acd507cb |
0 |
0 |
Invoke-Obfuscation Via Use Clip - PowerShell Module |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
76af6c7b5bbcbcbccfb2ea260489d66ab26fb91c612afce2eea8b5538bb36c35 |
0 |
0 |
Invoke-Obfuscation Via Use Clip - Security |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
f7ed971f190a397799a0730d5ae3ae4a8795ea76e42554768900a03c1bbf7ad2 |
0 |
0 |
Invoke-Obfuscation Via Use Clip - System |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ce17aada5a7768055bbf5a416696626ce2063fc2947da124934a97f0ff076ba6 |
0 |
0 |
Invoke-Obfuscation Via Use MSHTA |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0930a93e61dc6ca5c708a09f8f1a8c0dc24b8d942a8e8900144c6dee8703e343 |
0 |
0 |
Invoke-Obfuscation Via Use MSHTA |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0e5566fb9e5f855f277b707f52ff16085f2976cb6768b08e3151b738f7cc6992 |
0 |
0 |
Invoke-Obfuscation Via Use MSHTA |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
43cbdd33506d9ffaa0d9a81b702937c5941031eccf02bfa20564b42417d9ff47 |
0 |
0 |
Invoke-Obfuscation Via Use MSHTA |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
aa4d39be626c3fd4a68412b1a7760b0957c0c5b86f79eb893d14f58e7fce6c6d |
0 |
0 |
Invoke-Obfuscation Via Use MSHTA |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
fa1bd4dbff85b70daad8ab600a4cfee9488c2ff0188d3cea00e84d7b073405ea |
0 |
0 |
Invoke-Obfuscation Via Use MSHTA - PowerShell |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
2f4d7a7bc3e29eaeac5423c4d276d9a90586e6c3d4277f4d264c9d8aa54f6ec3 |
0 |
0 |
Invoke-Obfuscation Via Use MSHTA - PowerShell Module |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
437698a3ddc141ac75cb061590808bbcb7de0b4fb7ebaf60345f0549f4cc9816 |
0 |
0 |
Invoke-Obfuscation Via Use MSHTA - Security |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d851e8933dce5155d4504668c3fad20bca16e503e478165aad802dc4e5634563 |
0 |
0 |
Invoke-Obfuscation Via Use MSHTA - System |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a5d8322f8fd4a171b92a497efdb17590b3b6b58818835a034997d21e4270b693 |
0 |
0 |
Invoke-Obfuscation Via Use Rundll32 |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4131754f7c0e71d23eac2114f63c2445f3ea1e8f38df8a76563917e98baf7123 |
0 |
0 |
Invoke-Obfuscation Via Use Rundll32 |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7d11bdaa4f671e75a6cf0ddb788f3ea6ff550f3371c61cb0a29f802ef5ac61d0 |
0 |
0 |
Invoke-Obfuscation Via Use Rundll32 |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
93a7143b3c3623e84f71a4ba7087c95eadd288a96cc5205d70645fb23d9fd956 |
0 |
0 |
Invoke-Obfuscation Via Use Rundll32 |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a7908e5cb15379fd8bcf3a9689d34ff1a5a72ab4c6ca6d6c65e24d53ffbb2c13 |
0 |
0 |
Invoke-Obfuscation Via Use Rundll32 |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
dc490d5d39ceac22ac7a184263ef179d60d4acaa65976183ddf786bd75366d9f |
0 |
0 |
Invoke-Obfuscation Via Use Rundll32 |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
f78da06c94256bbc6f7356a3883982528e6282d615f1a6c25c43ddaad4687c18 |
0 |
0 |
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
fc25895e0aab53d526b1f268874e1f81955fb22d2d310fc8a14e2f4cc28a52b4 |
0 |
0 |
Invoke-Obfuscation Via Use Rundll32 - Security |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
2f55b73ec314c7381dc97abaeb5ef1469713fc1c552265bc1225b96c6ad6cc83 |
0 |
0 |
Invoke-Obfuscation Via Use Rundll32 - System |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
fe3560ed4bbd6192e8416571fbbe1e5fe61a8b92201d44f818823f75e7f8578e |
0 |
0 |
JAMF MDM Execution |
Jay Pandit |
Sigma Integrated Rule Set (GitHub) |
84004bc1bc5647986b7d6975284e5e0c645519882f3824b6f85b0818116789c1 |
0 |
0 |
JAMF MDM Potential Suspicious Child Process |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
318d795d6174586c38f35d0882f6ec868df0e3a9fdaa1a66c81134860d2a8258 |
0 |
0 |
JNDIExploit Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
67e1bb7efdc9f72507d792fffd9669f000bac02c81b6c5880693f3e473360550 |
0 |
0 |
JSC Convert Javascript To Executable |
frack113 |
Sigma Integrated Rule Set (GitHub) |
2ff165b71352ba7322e48c1d765629db5ccf8ba92e65a3ab9a4d375da0846a6b |
0 |
0 |
JSOutProx RAT (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
02be37dad81df3baa83c02c795e51416bda450b6272fe9585a50171a69535256 |
0 |
0 |
JXA In-memory Execution Via OSAScript |
Sohan G (D4rkCiph3r) |
Sigma Integrated Rule Set (GitHub) |
d9ee3be0af3ae45d8636dbdf1163e825e59e445cd37f090d09146c1a898a8f7c |
0 |
0 |
Jacksbot (Registry event and CommandLine parameters) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
2be33206faf76054bce199518f9ba877ad2a9477b51af98ca05dd646dfb42c6c |
0 |
0 |
Jacksbot (Registry event and CommandLine parameters) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
de380d617af0b2dd78f410efa4fc36f895a556759177b34f04dad90698a9b833 |
0 |
0 |
Java Class Proxy Download |
Andreas Hunkeler (@Karneades) |
Sigma Integrated Rule Set (GitHub) |
b86f637637bb79d44a1590bf2bb4feadebbd6c2757ea9c0016f1a9595504b17d |
0 |
0 |
Java Payload Strings |
frack113, Harjot Singh, "@cyb3rjy0t" (update) |
Sigma Integrated Rule Set (GitHub) |
c08fd4adc55b78e8d134a4b62c4033306d8fb40ea0ad0142f08d3abb92a38f6f |
0 |
0 |
Java Running with Remote Debugging |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2e7d87bfbd32ac2342d15ebcc05f5ef626e85c6ff102705ba365a90790098278 |
0 |
0 |
JexBoss Command Sequence |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a3bdc4cfa6129ab202d0c31fd0a1b62c238614b1ef2d063913d6414edf0845b7 |
0 |
0 |
Juniper BGP Missing MD5 |
Tim Brown |
Sigma Integrated Rule Set (GitHub) |
0f52da7ba37053b38aabf543fe6b48cccf492982b0c4423c605a9a7cd868a9df |
0 |
0 |
KDC RC4-HMAC Downgrade CVE-2022-37966 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
27f15384e2982097a0a8f2fe8eb9d85961bb03d938d5bf55161e73748c145243 |
0 |
0 |
KONNI Malware behavior (APT37) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
7f8871e9eb7dd4fee1e3a813c111693a960996e217fa6df263e3f2c45aa76a90 |
0 |
0 |
KONNI Malware behavior (APT37) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
bb00a72fbfec2b0477f7a87eb9a66f6853e363526c96616ab8f9e89c0865617b |
0 |
0 |
KONNI Malware behavior (APT37) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
dac73d2c69f90d09101600bec5114075b4bfc85ce4fd276570acd4b4b4002ac3 |
0 |
0 |
Kavremover Dropped Binary LOLBIN Usage |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5b8e59ff6d9a6f17dd0b0fd91dd941c81c17da2acaee4aa1780ad09220c2b7cd |
0 |
0 |
Kerberos Manipulation |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
231c4645e3a84818601e73156d0ec49d61870632b546fe129f75f9795fa95b1a |
0 |
0 |
Kerberos Network Traffic RC4 Ticket Encryption |
sigma |
Sigma Integrated Rule Set (GitHub) |
78b71e2b045b325f1db537748abc852151228024bbcd946684eb402afddd7b1a |
0 |
0 |
Kernel Memory Dump Via LiveKD |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8f653bfe06c9fe8a46b54940b63e1a47715e9b34f655eb6e661b95b913c06435 |
0 |
0 |
Koadic post exploitation rootkit |
Joe Security |
Joe Security Rule Set (GitHub) |
6cfb40f83f69b8f6221133239461ee688e15ec2c65581eb5b5674a17e24831a1 |
0 |
0 |
KrbRelayUp Attack Pattern |
@SBousseaden, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
64cdef165052eb8d7e943c9183a9d5e851f727944f805f496f559197cc056855 |
0 |
0 |
KrbRelayUp Service Installation |
Sittikorn S, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
b0f99c5d2b939c246d80589cd822cbb165443af4f23bae7359a25112c38e400c |
0 |
0 |
Kubernetes Events Deleted |
Leo Tsaousis (@laripping) |
Sigma Integrated Rule Set (GitHub) |
c50e13c35eab60efafafe5755f23529d76fc7699f3adeb8980bd9c330cc0c096 |
0 |
0 |
Kubernetes Secrets Enumeration |
Leo Tsaousis (@laripping) |
Sigma Integrated Rule Set (GitHub) |
b99b4cf4bd9e0f922aade82ec85b2c265f34011959c511024c183a28b8307f77 |
0 |
0 |
Kwapirs Trojan Detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
1de7d62f1812c7f6b8864dd143e6647161ac4299a1d79041266d401042177e4c |
0 |
0 |
Kwapirs Trojan Detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
5c5eb2e19924ab6d6c54d36e0730e90e8dfea2ee983a708a1ecf6a596cd7bd9c |
0 |
0 |
Kwapirs Trojan Detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
96ca7fcb576c97b0d5789bb1536ba5039c9decf46b748ed501cc0945e90fb25e |
0 |
0 |
LNK File Download or Usage over HTTP |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
ffd8e0662e18d53ff9cd24c140aa76098f09521d84cc29f2f00a17fa50a43e37 |
0 |
0 |
LNK File Download or Usage over SMB (Overview Query) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
a4d2269d88c903801fac5733945f9e7aa870b2b167f014df865f794d517e8907 |
0 |
0 |
LOLBAS Data Exfiltration by DataSvcUtil.exe |
Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
4ca63f832211aa3558085e05e1123658cee6f4d5daa8c91fc9deeb13b8ab7b5a |
0 |
0 |
LPE InstallerFileTakeOver PoC CVE-2021-41379 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5aac8fe297cc2a7fde7dd8b7e3bc82990cbcba14f3acb11dfcd8306587c8b02d |
0 |
0 |
LSASS Access Detected via Attack Surface Reduction |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
563af56cc44b5473ca2297f9917233ed8264136d5730aed0bf08f98e4294e060 |
0 |
0 |
LSASS Access From Non System Account |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
c6493cb4442f7c6d607b594653ad5f32371b52193211d685ce4fa631017ee7cf |
0 |
0 |
LSASS Access From Potentially White-Listed Processes |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d593692edfb0155a1eee787d657ba877f87da5e2e548276511560f75acc67110 |
0 |
0 |
LSASS Access From Program in Potentially Suspicious Folder |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
df0d05c25b308b1067253d6665734b787aee2e0d8b177c08f0fad5c83a9b598c |
0 |
0 |
LSASS Memory Access by Tool With Dump Keyword In Name |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
645cb1e8e1af1e2c83bd115ff4c26b69adf33e6b889e7d3e080019df00d911e2 |
0 |
0 |
LSASS Process Dump Artefact In CrashDumps Folder |
@pbssubhash |
Sigma Integrated Rule Set (GitHub) |
76943792af2068697b876777134ad9a888d725b0cb35b3eda717a54d78a60159 |
0 |
0 |
LSASS Process Memory Dump Creation Via Taskmgr.EXE |
Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
9262279e69c00f54852b755d4861838d5ccfa933422a45c0c79d140e0651003e |
0 |
0 |
Lace Tempest File Indicators |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
588b29378bc271192e51c683c2a0b9cafb40c7602b28a6402862a566a0b81ab2 |
0 |
0 |
Lace Tempest Malware Loader Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
32f1a6abb7c0d573677298e3e0ddb2e271420ea641149faec6860812396d7921 |
0 |
0 |
Lace Tempest PowerShell Evidence Eraser |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d32ca81927e9506817cce770d61f68382f37dd691cec907a32e23b900ce34832 |
0 |
0 |
Lace Tempest PowerShell Launcher |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7c491918d0eb9bbccf2d3824e4dab60abcda78a7f88485cb1619257a05db39cf |
0 |
0 |
Lateral Movement Indicator ConDrv |
Janantha Marasinghe |
Sigma Integrated Rule Set (GitHub) |
c978aa658df36ee024186bee37eb8f5b1974ccfe8ded97a973bfe4dc6e197008 |
0 |
0 |
Launch-VsDevShell.PS1 Proxy Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
653a2a6ef64e76c43984ddf71de4ef9fab7b4140732b70bffd798e87dbfaa635 |
0 |
0 |
Lazarus APT DLL Sideloading Activity |
Thurein Oo, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ac08ae75103b2592d17a9e6a1e238ccf73be2ee27f4b0649c6df3bcd2f1833aa |
0 |
0 |
Lazarus Group Activity |
Florian Roth (Nextron Systems), wagga |
Sigma Integrated Rule Set (GitHub) |
5239809b3d434a5fd86760148a6ba71288898a2f7c5d6c4370e4afdf12c7283c |
0 |
0 |
Lazarus Loaders |
Florian Roth, wagga |
Sigma Integrated Rule Set (GitHub) |
c84a7ca7abbe3e5b0d2b85f57e26013cf82131739ccc06fb4271905d4a63f3ef |
0 |
0 |
Leviathan Registry Key Activity |
Aidan Bracher |
Sigma Integrated Rule Set (GitHub) |
8d55489934039427d1fae624f0b85085985ab01440f56559b26c68f7a6a1deb4 |
0 |
0 |
Linux Base64 Encoded Shebang In CLI |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
65b81bcdfbc588593fc0963077e22d4130ce747d90f3266d5c2f3aa6508cb30e |
0 |
0 |
Linux Capabilities Discovery |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
15f5291aefe8242b4be1908368af4c1c020bff933d962fa5c3d2690592a1d9db |
0 |
0 |
Linux Crypto Mining Pool Connections |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
94ce005adcd09f3ebc9f1adf5dfb87bc39cf45a1c8e1176675682711a53d88f5 |
0 |
0 |
Linux Doas Tool Execution |
Sittikorn S, Teoderick Contreras |
Sigma Integrated Rule Set (GitHub) |
2d09b677a33485e35622f8b6cdab5b1237af8abd8fc894532527d90f383c0aae |
0 |
0 |
Linux Keylogging with Pam.d |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
8b1654a5012de4c604255728331b3cb09c83826468daf25703344006927ebd6a |
0 |
0 |
Linux Network Service Scanning |
Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
577e8f6fda6da02c80afa50ddf199a9e2817ae570e37dff3c743910d6e4dd273 |
0 |
0 |
Linux Network Service Scanning |
Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
676feba35f86e9e41213bf2cd1daab4e4ad9143714e10f335981beeb7ba5d4a5 |
0 |
0 |
Linux Network Service Scanning |
Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7f6a694ee18581a5a2bb34e78f7cb079d0e12a465aa6639e291e138f6f308d27 |
0 |
0 |
Linux Network Service Scanning - Auditd |
Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
96c79bd2f46a79e85a3f40f6206e96a7cc2f097ac4d2dd574d735dccec840832 |
0 |
0 |
Linux Reverse Shell Indicator |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9627ed9b9dde6f0e9ce83624eb258b8c304ba56da7d651985c1e06a0ed0b4975 |
0 |
0 |
Linux Webshell Indicators |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f1ddd314aee4681dd4bc1821da4b796ecf94c8b1576209bb191b5a8dbdcdb26a |
0 |
0 |
Liphyra Botnet |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
4596c900255dd64bed15c00f02fd2c020992da25e6600d3536b6b12b8992d409 |
0 |
0 |
Liphyra Botnet |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
98cabebe7a41e8259d15db20be2beb491b39babbd9a772c20ccf447f7a5c5490 |
0 |
0 |
Liphyra Botnet |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d5c4157c2b4dffa686a83ac64b8c022c3e066337e094757c2f248638dcef1214 |
0 |
0 |
LiveKD Driver Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fe83f11bcb26d72813b40bdb5b8c4009f6f74e840320f5cd3d71f7e6efda7adf |
0 |
0 |
LiveKD Driver Creation By Uncommon Process |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1d5a21d8db462c24435fa9525e3507c04d0368e1546130727d88cc0050357aae |
0 |
0 |
LiveKD Kernel Memory Dump File Created |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d2957f3e596a6283175be9c1eec3b522e82aa8a105ee9a3e2f3bfb494c07cf90 |
0 |
0 |
Loaded Module Enumeration Via Tasklist.EXE |
Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
7c2a2b3b85cbc078de4b871fc347cb5186dc813c5c2083360ce573c3f0abb87a |
0 |
0 |
Loading Diagcab Package From Remote Path |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e5b9341df9284890eca06dd9731ecb3890a2c1496b549dd053bc40c178e14df8 |
0 |
0 |
Loading of Kernel Module via Insmod |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
e690fd8425bfb6339396e2e0b658a06d8dad95357a25603d9ed007d8acae6e6b |
0 |
0 |
Local Groups Discovery - MacOs |
Ömer Günal, Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
96830978814aeec9f41351cd26d413ad426a28c3bf7d6f3630ee7e9a578659b9 |
0 |
0 |
Local Privilege Escalation Indicator TabTip |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
341387d1dc0c269b7b874ce36d90680e7398381d49158ec118d2fbf7af6fe4fb |
0 |
0 |
Loda RAT detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
53e145805bb5e6301f081883d8d97fc2ebfa40287aec49d411fbba030d1fa39c |
0 |
0 |
Log4j RCE CVE-2021-44228 Generic |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8c495666d5450c3e2e0bb34d2cf7eef172c34ec61b80fb24f7ee56955d98c3cd |
0 |
0 |
Log4j RCE CVE-2021-44228 in Fields |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a089911dd0c5c3ead7a5b984c73e7ff29d2a74b294849fe17ffc932bf33784e9 |
0 |
0 |
Logged-On User Password Change Via Ksetup.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1a9508e6ec98fe450815498ea883a6e7b2a5974204656e2f9bb7b098a308553d |
0 |
0 |
Logging Configuration Changes on Linux Host |
Mikhail Larin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
445f9624d922b1b8b49be62aa6ab367c68746e2b43bdbb4e2e6c630e88e18678 |
0 |
0 |
Login to Disabled Account |
AlertIQ |
Sigma Integrated Rule Set (GitHub) |
1514d5d526c9b5a1a6c5e315c592705ba8e80d9698d2928aed28182666d2a2e3 |
0 |
0 |
Logon Scripts (UserInitMprLogonScript) |
Tom Ueltschi (@c_APT_ure) |
Sigma Integrated Rule Set (GitHub) |
4e10510e7f7c48be7d293bdd42d3c63dbb1c4ef878bb17ff20069102a6a1a6b1 |
0 |
0 |
Logon Scripts (UserInitMprLogonScript) |
Tom Ueltschi (@c_APT_ure) |
Sigma Integrated Rule Set (GitHub) |
72753d1df5ca47138f6ac3de80cfbfccccb39052c6331addbb419e2b4a2f9752 |
0 |
0 |
Logon Scripts (UserInitMprLogonScript) |
Tom Ueltschi (@c_APT_ure) |
Sigma Integrated Rule Set (GitHub) |
c58463bc214d5126d24453ce3a2db9a54855641facf8d3dcf2e1a70b4cd47173 |
0 |
0 |
Logon from a Risky IP Address |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
96e45b283c76172a1e89d9798c6e7952bf70ba4017864f8b0941dbffd56f7055 |
0 |
0 |
LokiBot Trojan behavior (Sysmon). |
Alexandr Yampolskyi, SOC Prime |
SOC Prime Threat Detection Marketplace |
25b0a9aa21e02bf2b942c3a842e1cee818237b7da5e121b08157b081a775e7dd |
0 |
0 |
Lolbas OneDriveStandaloneUpdater.exe Proxy Download |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c0cde0407770035045182e4494d9ef27565bb6a5a4bd1506dfd9512694fb59e0 |
0 |
0 |
Lolbin Unregmp2.exe Use As Proxy |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3801de7b2b12b9bb0f6c6167191baba801045f5089dddcf20a11575d87f741ee |
0 |
0 |
Lsass Memory Dump via Comsvcs DLL |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
3c0e931ed838b9556e57c7385ca8aa0e20d9e4a2256e761c1f13540f3df2f513 |
0 |
0 |
Lucifer Botnet Detection (Mimikatz Abuse) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b78dfe3c36a3641e35470c0d66caaab300392d55f5c4664b7541ee0d13af1e9f |
0 |
0 |
MERCURY APT Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1fd571e29b648dde3ccdecc16fa9186092940df4ac729790a204fbfb1504c8c8 |
0 |
0 |
MITRE BZAR Indicators for Execution |
@neu5ron, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
92c43f07a2d15dc0d84c316204afa24eb03535cb3460b7183fae873f9f93601e |
0 |
0 |
MITRE BZAR Indicators for Persistence |
@neu5ron, SOC Prime |
Sigma Integrated Rule Set (GitHub) |
41587ecc9bb28242c77b042aa99238dbce0be3451506ce1deaa512acac0d4481 |
0 |
0 |
MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
89d0bc5bb059780ac612513695fd8f80cf382ee91b7fd215b45bdffbcf65b8e5 |
0 |
0 |
MSBuild Launched By Scr |
Joe Security |
Joe Security Rule Set (GitHub) |
8ad7367c9de9a165016d9a8b662d34004cffb1cf0000aa760ebe1742b6a83175 |
0 |
0 |
MSBuild execute suspicous task |
Joe Security |
Joe Security Rule Set (GitHub) |
850ce3b49e2fc441426c3b9ec59e195d417194b461fe480e76d2482bcd20112d |
0 |
0 |
MSExchange Transport Agent Installation |
Tobias Michalski |
Sigma Integrated Rule Set (GitHub) |
711b03ff1593b84b2c430081585f67ac7553da05293568f43b5d49201ac3715f |
0 |
0 |
MSExchange Transport Agent Installation |
Tobias Michalski |
Sigma Integrated Rule Set (GitHub) |
7c1f925effd9c12efb8a40826e8b85d7d92e1819d550b48add5d3bd5ee8421e2 |
0 |
0 |
MSExchange Transport Agent Installation |
Tobias Michalski |
Sigma Integrated Rule Set (GitHub) |
9aa90df87bd198fdfd7ce530f731f1242cebb92ae8329996250469bfd299dfd7 |
0 |
0 |
MSExchange Transport Agent Installation - Builtin |
Tobias Michalski (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e771c0dcabbf8a0f6d4bb616409030d867092a5b633c5f87b668c761e0a73c23 |
0 |
0 |
MSI Installation From Suspicious Locations |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
461e6edb67978c12ff58da285d77d474d485074cf463885b481efe09a1fd36c1 |
0 |
0 |
MSI Installation From Web |
Stamatis Chatzimangou |
Sigma Integrated Rule Set (GitHub) |
c856cf4310181be71156dedd595e1303eb9146e4909a33be5b77a634af9a8290 |
0 |
0 |
MSI Spawned Cmd and Powershell Spawned Processes |
Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community |
Sigma Integrated Rule Set (GitHub) |
c7a8b63e31de07a842a530c5020291d2370e859b36aea25420f0d9744a271f6f |
0 |
0 |
MSMQ Corrupted Packet Encountered |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3a3ca0f8c037b2b6a12c6078cb11a13525d13222140a0f6bf8e229bcc9e3f258 |
0 |
0 |
MSSQL Add Account To Sysadmin Role |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1b8dba272839bb575f5b3f9da33023f4740a1b84e81e4f9d9a184c8eaae9bf77 |
0 |
0 |
MSSQL Disable Audit Settings |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0023ead4850cd15e4361d2100abf17dde0b2a8a294573dfdc637ac7fb6995afe |
0 |
0 |
MSSQL Extended Stored Procedure Backdoor Maggie |
Denis Szadkowski, DIRT / DCSO CyTec |
Sigma Integrated Rule Set (GitHub) |
8339def63b74002948ff1b5b1e2ee35342691a9e4e5a32a86765c35f2a6106de |
0 |
0 |
MSSQL SPProcoption Set |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
872e3ac9f3dd66e4edbaae7226c656e132d685c8752da1c7b40048f3deab7580 |
0 |
0 |
MSSQL Server Failed Logon |
Nasreddine Bencherchali (Nextron Systems), j4son |
Sigma Integrated Rule Set (GitHub) |
40eb9c9e91d6e75525bc23c0af6a0959d47b27aeea04988da4aed039c218f7e2 |
0 |
0 |
MSSQL Server Failed Logon From External Network |
j4son |
Sigma Integrated Rule Set (GitHub) |
da585409a91625360a9a039174138eff137e78e92c590f19fbfae0f544a78c11 |
0 |
0 |
MSSQL XPCmdshell Option Change |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e8aa8371cc5fe1806b4cc0bc362b6c08c664e2473866961f08865b8dbe626cd4 |
0 |
0 |
MSSQL XPCmdshell Suspicious Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c8ffe8b0d6ce0e713497c845181c4caac55e32c3ba7f44b04e0b1af8b5177aa5 |
0 |
0 |
Macos Remote System Discovery |
Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
f3cd8ef31c8b21a65b954ec79c8cab26887cd18d064a995d666dee41e8acec49 |
0 |
0 |
Mailbox Export to Exchange Webserver |
Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
993b4f45701b3ec9d79ce389b7e4b9ba421865eff166ec27145d75741b2609eb |
0 |
0 |
Malicious DLL File Dropped in the Teams or OneDrive Folder |
frack113 |
Sigma Integrated Rule Set (GitHub) |
0ad90d7aa0fdb2b3aa22f7b0438269a6add31695e091d3e00704728fdffac5d8 |
0 |
0 |
Malicious DLL Load By Compromised 3CXDesktopApp |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
164ac29f934a91a02b0a5643fe836ddc62b5cdfd558e4f319713dc8f0c7a8747 |
0 |
0 |
Malicious IP Address Sign-In Failure Rate |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
3b5e14d3e8a41fbb9831a463b29a9374afea75153b693e62c1eeb4009fcf51a3 |
0 |
0 |
Malicious IP Address Sign-In Suspicious |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
d6a97e5cce87f8f66c4e02d46de2b99a3752f76c7477cfa0fd3e6c86b3128cd3 |
0 |
0 |
Malicious Named Pipe Created |
Florian Roth (Nextron Systems), blueteam0ps, elhoim |
Sigma Integrated Rule Set (GitHub) |
18beefa1a0a5830d767ea9fe1831ce5fc0abbffeccd3c5932ea06333ab16d451 |
0 |
0 |
Malicious Payload Download via Office Binaries |
Beyu Denis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
f8ff90356c4ca9019d85273206850b0132e8b3209bcc1d4931bf59b71450a496 |
0 |
0 |
Malicious PowerShell Commandlets - PoshModule |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
541c6a8f85ea66fe7cd20ffb5901538bdbd0016b758510f019951603e2557710 |
0 |
0 |
Malicious PowerShell Scripts - PoshModule |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ce183a8dcf0b1f1a74c4d3d119e86353ee57698c16b9df15ef6daa2b0b2b81e8 |
0 |
0 |
Malicious Service Installations |
Florian Roth, Daniil Yugoslavskiy, oscd.community (update) |
Sigma Integrated Rule Set (GitHub) |
6476024015d6f67313581ba841b49d2aa8a5bd55b43397bb49521162a7688649 |
0 |
0 |
Malicious Service Installations |
Florian Roth, Daniil Yugoslavskiy, oscd.community (update) |
Sigma Integrated Rule Set (GitHub) |
8054438d5b821755b2dbd5820a438b44688606dc8617bca3756bd60c75e15aee |
0 |
0 |
Malicious Service Installations |
Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update) |
Sigma Integrated Rule Set (GitHub) |
9f944a38f9e33b70e2b645ce13a2ea1152481f589928dd164e9a2ca5ca452880 |
0 |
0 |
Malicious Service Installations |
Florian Roth, Daniil Yugoslavskiy, oscd.community (update) |
Sigma Integrated Rule Set (GitHub) |
ed399c29991d5d0998f08a5930c2fb1aadbd51855a51b2b30d76a6bf630eabd9 |
0 |
0 |
Malicious Service Installations |
Florian Roth, Daniil Yugoslavskiy, oscd.community (update) |
Sigma Integrated Rule Set (GitHub) |
ed602524330bd363f87bc7980fbb46e0186704e38a27f85f7c6030f2ad6356b9 |
0 |
0 |
Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
27774785c899a25659566662ca41aadd02b66d6eb728811937ebaae069d82f5a |
0 |
0 |
Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
fa6ee0e8f8cead534cdfd17b666caa7f1d01a684b482e45fc1dcc98c3a17c190 |
0 |
0 |
Malicious payloads that are hidden in fake Windows error logs |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
ca17d229059d9b7592cdb79afc25ca5111f033e6033346e481fcc97443e1cca9 |
0 |
0 |
Malicious utilization of mofcomp.exe via CMD |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
8b1787853632b3c011481b5856d0f67e76dcd5ca18b18c17758687641e424c52 |
0 |
0 |
Malware Shellcode in Verclsid Target Process |
John Lambert (tech), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ffb6e23f9b9b02d3336ba381f296b796adbc31e0297afd8257cec5c40e66bd8b |
0 |
0 |
Malware User Agent |
Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a352975e140ee0d8fd67c6be0d75ce52c7e74a2fc79700790bdaa343d062c5c4 |
0 |
0 |
Masquerading as Linux Crond Process |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
9a46c620e21e78da1889a3e8f6dbe4070319becd3a7ef3bdc1d9b11595613ef8 |
0 |
0 |
Measurable Increase Of Successful Authentications |
Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
3fa2160bece2a586b705b87fff33b50172599949ac26db22488fac1f04051d84 |
0 |
0 |
Mesh Agent Service Installation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5117f86a505e349c6cd837ce77faafdb5fd3697e13dfba5842107cc264fbcee2 |
0 |
0 |
Metamorfo malware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d73a269ba693e8e5fa275faa3169b39f3228c9708fae0c818a2e076be89ebac8 |
0 |
0 |
Metasploit Or Impacket Service Installation Via SMB PsExec |
Bartlomiej Czyz, Relativity |
Sigma Integrated Rule Set (GitHub) |
5a244f13e4984c1b2b7a499cb46ddf8b68c1ba5230d646cec6c578e0fc490e30 |
0 |
0 |
Metasploit Or Impacket Service Installation Via SMB PsExec |
Bartlomiej Czyz, Relativity |
Sigma Integrated Rule Set (GitHub) |
ae51d2d67f9cc0555bac0f8f07cd0f21e85bf7996326a2ea736bf9240afc5c73 |
0 |
0 |
Metasploit Or Impacket Service Installation Via SMB PsExec |
Bartlomiej Czyz, Relativity |
Sigma Integrated Rule Set (GitHub) |
c27cff6b98bff3ffc6f117f1ee7a6d6969aafd5a49ec2acfc599aeac2d16d3aa |
0 |
0 |
Metasploit Or Impacket Service Installation Via SMB PsExec |
Bartlomiej Czyz, Relativity |
Sigma Integrated Rule Set (GitHub) |
fb37de09ff35e1a563c8446c188e8763186905bd6f1231f36c4344b06b1c1e49 |
0 |
0 |
Metasploit SMB Authentication |
Chakib Gzenayi (@Chak092), Hosni Mribah |
Sigma Integrated Rule Set (GitHub) |
22b00ff2151af3d4d5470dded7d187d4f3021d163003a5608c0f6ce4c476db3f |
0 |
0 |
Meterpreter or Cobalt Strike Getsystem Service Installation |
Teymur Kheirkhabarov, Ecco, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
192e53b4eb1008e71a9b6e69068e10ea48a5dcaf61b1fc5d176c068bac8e1c8e |
0 |
0 |
Meterpreter or Cobalt Strike Getsystem Service Installation |
Teymur Kheirkhabarov, Ecco, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
40660e5f6c68cd541236f69c088146a482a8ebd809f57b774378aa0152dca75f |
0 |
0 |
Meterpreter or Cobalt Strike Getsystem Service Installation |
Teymur Kheirkhabarov, Ecco, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
40956f4e065cdfa5d7b282c6490d46c2ec2965fea47b1d597b61302386d09236 |
0 |
0 |
Meterpreter or Cobalt Strike Getsystem Service Installation |
Teymur Kheirkhabarov, Ecco, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
817e49977822d01e34c3e5dd05aba6ee11f45ab3c722bc7b2a2bb085226e41cc |
0 |
0 |
Meterpreter or Cobalt Strike Getsystem Service Installation |
Teymur Kheirkhabarov, Ecco, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
bc197a778a20b521388a98e562298e644a301273af9279e8993a0b44cc59c8c8 |
0 |
0 |
Meterpreter or Cobalt Strike Getsystem Service Installation |
Teymur Kheirkhabarov, Ecco, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
ec12972980ba51f81e74946a518425d59ff6b1a2e43fa17be336b5e67b155fa7 |
0 |
0 |
Meterpreter or Cobalt Strike Getsystem Service Installation - Security |
Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9b174921e3b6661c344cd2c30a575a282bf403e050644ebc88bac4c93c5f47bd |
0 |
0 |
Meterpreter or Cobalt Strike Getsystem Service Installation - System |
Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9fd506c795090efa401ad8bb755474601cc0aaa7ebf5b75b096714bd0235016a |
0 |
0 |
Microsoft 365 - Impossible Travel Activity |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
d3a30f1e296d56fea04ef46810f3df154d12cf590c5dc97084de9af8009056ab |
0 |
0 |
Microsoft 365 - Potential Ransomware Activity |
austinsonger |
Sigma Integrated Rule Set (GitHub) |
02ad8f012c03cc13afc7b6cd67d789e91979b43473e7203b074dd4d9f0b7a889 |
0 |
0 |
Microsoft 365 - Unusual Volume of File Deletion |
austinsonger |
Sigma Integrated Rule Set (GitHub) |
be9779fe3da9967876ef067833b541b5c0d33a033ab69daea3ab20181ea1e000 |
0 |
0 |
Microsoft 365 - User Restricted from Sending Email |
austinsonger |
Sigma Integrated Rule Set (GitHub) |
37b5a17283cb3c4128108fd34d6a17996547cba22f82cb66467c0ef87a0455a7 |
0 |
0 |
Microsoft Binary Github Communication |
Michael Haag (idea), Florian Roth (rule) |
Sigma Integrated Rule Set (GitHub) |
dd661868928412c287335c1703782413d4880320931356edf3f1e713563d99e2 |
0 |
0 |
Microsoft Defender Blocked from Loading Unsigned DLL |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
a47018e8ef1cc45e77daca77484671576bb0812366e2781bfa3594c5e956089d |
0 |
0 |
Microsoft Defender Tamper Protection Trigger |
Bhabesh Raj, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
1870d785edc3b42af09c0eb73a2aa3683103c07aea155f77f90275e694cb6a79 |
0 |
0 |
Microsoft IIS Service Account Password Dumped |
Tim Rauch, Janantha Marasinghe, Elastic (original idea) |
Sigma Integrated Rule Set (GitHub) |
579789875ba67f31d3267aa54467dd057c7daeccd54f3d84eb0b90c7329b13a9 |
0 |
0 |
Microsoft Malware Protection Engine Crash |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
122ed874aebb54ab631111c5a294891fee643ada943cf805d38b74e7f5f106a1 |
0 |
0 |
Microsoft Malware Protection Engine Crash - WER |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d9bfe783bdd11d38a6493085cbd1c673a360226722228507fb920ef71b62895d |
0 |
0 |
Microsoft Teams update.exe suspicious command argumets |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
1b4855885781ab5b82eba4b8b314d00176f5ac0f29ba84391f11660a70ecd421 |
0 |
0 |
Microsoft VBA For Outlook Addin Loaded Via Outlook |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
70a7fa8eea6fc043858820184b6d6ce880dccb90e67a241505f66c89fff813d8 |
0 |
0 |
Mimikatz DC Sync |
Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu |
Sigma Integrated Rule Set (GitHub) |
ec2307a906e3ea53e96b7874574d7a2e89921b6e7f541a663a6626661dcdc850 |
0 |
0 |
Mimikatz Detection LSASS Access |
Sherif Eldeeb |
Sigma Integrated Rule Set (GitHub) |
ff1315c395da2bdbd410add740bc4f48077e8e1d846f3e2531758ed506a43645 |
0 |
0 |
Mimikatz In-Memory |
sigma |
Sigma Integrated Rule Set (GitHub) |
dadac8ee034d1cee2ef5b7d9a388d1421c731a53717834507c67ffe1b14b5104 |
0 |
0 |
Mimikatz MemSSP Default Log File Creation |
David ANDRE |
Sigma Integrated Rule Set (GitHub) |
1bf84826e67862a2c36769a8990e8a19bc79218d45bd297eac23f736bebb40c4 |
0 |
0 |
Mint Sandstorm - AsperaFaspex Suspicious Process Execution |
Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) |
Sigma Integrated Rule Set (GitHub) |
e36cb4b37c0a3b4839f6a55922b54dcae23e9a7abffd4fab8cdaa4cac5a28d2c |
0 |
0 |
Mint Sandstorm - Log4J Wstomcat Process Execution |
Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) |
Sigma Integrated Rule Set (GitHub) |
db531917f7306c3d93c74550a1a2a8fe90cc4374c1b12b850143f9dbbce75d12 |
0 |
0 |
Mint Sandstorm - ManageEngine Suspicious Process Execution |
Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) |
Sigma Integrated Rule Set (GitHub) |
142381af7b3917b79e8f2a044bd428d90a4cc38c06d8939e95a08e4eac709282 |
0 |
0 |
Modification of ld.so.preload |
E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community |
Sigma Integrated Rule Set (GitHub) |
35fdcd5de6749c0a3648859877873d553a64b9d469a1b72223f3430a15ab10e7 |
0 |
0 |
Modify System Firewall |
IAI |
Sigma Integrated Rule Set (GitHub) |
9b162e77f6b19646520819d8e3106a91d9dbc365cfcff5a09e4cd2546a58b9cb |
0 |
0 |
Modifying Crontab |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
1111c129daa1f367ddd98562f6ce2ee4591a55d067c442a43665a1b601d3f339 |
0 |
0 |
Modirat Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
83d78690b6193fe5c1396f8bc78fdedf8ba876a1e3b33e73fbd88be9ad9ac43b |
0 |
0 |
Modirat Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
8db76b3af1f01ca259e1dfb9ffced0b62d57908e3afda6d7190050a3651d0f35 |
0 |
0 |
Modirat Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d25e572989f7314678d11ebedcd46c0978c4963282ce53453a99fac33ba9cd0b |
0 |
0 |
Monitoring Wuauclt.exe For Lolbas Execution Of DLL |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
b7e3452e4a99ca10a2296ac99559c3c5ad282843dc9d00e99e744ca6725da3ae |
0 |
0 |
Moriya Rootkit |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
14054e3c5398e3efeb36907b873cd44b2e3e1f45c872fd35fc93fe027f026822 |
0 |
0 |
Moriya Rootkit |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
9dd3e22b848384bcb3c88ebef774e34383b1ce9ed5a38ae9e19b8002aa5e1197 |
0 |
0 |
Moriya Rootkit |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
e890924140d1c95de2b7a7fb0972af50a2c5721ef496761669c3aba2244f16e8 |
0 |
0 |
Moriya Rootkit - System |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
fd2423cd1fb181effe2fb4c56218d09921ebaa407b79513920ea5b24c9a3f645 |
0 |
0 |
MpiExec Lolbin |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
65a9c1b8196d031b490abccf5fdd6b0096a89c61e8b7d774985dec19d9d0effa |
0 |
0 |
Mshta Download Pastebin |
Joe Security |
Joe Security Rule Set (GitHub) |
022d94a14c023de93a446a40880959661603927ebe5efff6b062cf01f85d2627 |
0 |
0 |
Multifactor Authentication Denied |
AlertIQ |
Sigma Integrated Rule Set (GitHub) |
233c91922caafc34f65d2ddba780ca64f6a73e33d7834c528aad6581d3c40cb7 |
0 |
0 |
Multifactor Authentication Interrupted |
AlertIQ |
Sigma Integrated Rule Set (GitHub) |
486699d92cc29a0049da80bf790ffe339597bd00fe884682f96c34da8e130514 |
0 |
0 |
Multiple Abnormal non conforming HTTP Requests |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
b6ffd0976104f055b1bd3ba49b801ac35b6e79610413ba345169d98aeae6b573 |
0 |
0 |
Multiple Clients to HTTP Using Unicode Host via HTTP - Possible Multiple Phishing Attempts |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
511963c1db190bc62faca5bc4ca06521da4635570743caf2d3f9cd4d56ca50a5 |
0 |
0 |
Multiple Clients to HTTP Using Unicode Host via HTTP - Possible Multiple Phishing Attempts |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
988a0ffb0a0f47129dd9b934dcb130f00534a2413639d8a3c688061cd4a9765e |
0 |
0 |
Multiple Compressed Files Transferred Outbound |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
b8fd2aa035454d18d6233196fd8163e8a2353d52c1aac77573478869e2f4e068 |
0 |
0 |
Multiple Compressed Files Transferred over HTTP |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
7bad960058d62e8ad7b373e0f3e304754a2b6902377eb2e11113e17b75ccc3c7 |
0 |
0 |
Multiple Modsecurity Blocks |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3262aea4a6fe473c1bbccdfd23a7fdf4ca12d85cd72e7f33b38038ec0744e1c2 |
0 |
0 |
Multiple Remote SMB Connections from single client |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
c8e5e581e3b175b3982cdbb599ff7f79477c6d33f45c778d0e404d3b39611c79 |
0 |
0 |
Multiple SSH Brute Inferences from Single IP |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
169719cbc9d66e576e8fed121636ea4267a6c02afe08533153871190bf0ee2ae |
0 |
0 |
Multiple Suspicious Resp Codes Caused by Single Client |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
36b7f0b4e7ca31a80f5929c779c0b90ea599d134f5e18ed404448e5c7e4664d5 |
0 |
0 |
Multiple Users Attempting To Authenticate Using Explicit Credentials |
Mauricio Velazco |
Sigma Integrated Rule Set (GitHub) |
c9d7284a26107f63bbe7266930bba513eee485e862028ef3d01f460fdfd13353 |
0 |
0 |
Multiple Users Failing to Authenticate from Single Process |
Mauricio Velazco |
Sigma Integrated Rule Set (GitHub) |
b83947b9ca0aad485d29caf723d94bab0c256d4731fd51b5dd69d8ee931646f2 |
0 |
0 |
Multiple Users Remotely Failing To Authenticate From Single Source |
Mauricio Velazco |
Sigma Integrated Rule Set (GitHub) |
4107edd5afd06ad49d102029bda7ae9f9b114dc56eb3f36ad01188bfdcdbf804 |
0 |
0 |
Multiple Windows Admin Share Connections |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
9480e7a6092cdaee91f66357eb157816e36db05dcc021646b7b6bd3b1f0deba2 |
0 |
0 |
Multiple Windows Remote Registry Service Connections |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
555ec13fb5fd2bac1c4c3d56534a101fe85e324759a14d2efbcff17a8ce0d68e |
0 |
0 |
Mustang Panda Dropper |
Florian Roth (Nextron Systems), oscd.community |
Sigma Integrated Rule Set (GitHub) |
64ba6d12e9a7d24ab70539a41abdbb5f3b47f99268f5620467b24cd8118976be |
0 |
0 |
MustangPanda COVID-19 campaing |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
50f367f6a2c0c7a6e7071294d21ea586cf7ba6280290d19c28143cb5ba740344 |
0 |
0 |
MustangPanda COVID-19 campaing |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
6fa28d8cc3b3f717443e0a42b68552d7a87153b44f262b79824fdceb66d49c55 |
0 |
0 |
NTDS Exfiltration Filename Patterns |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
59834ad6ee09ec025f8af3a988bb48ef8d80a59461acd89405b2528d7f2b331b |
0 |
0 |
NTDS.DIT Creation By Uncommon Parent Process |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0cf8479e95ae0e3163e81aed1ec87395423eae253567f08e4dd3ac2a0c160bf5 |
0 |
0 |
NTDS.DIT Creation By Uncommon Process |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c12fec5a56d2fd081752150387da4f96dba46bb9d59e76351fb5886a3f218701 |
0 |
0 |
NTFS Vulnerability Exploitation |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
411eb79dfeb1cc205d22228842bf9c45f6ea648d10de8bf3d08e9bdaa31e9d1f |
0 |
0 |
NTLM Brute Force |
Jerry Shockley '@jsh0x' |
Sigma Integrated Rule Set (GitHub) |
54182425611ab34a2b625907d0925ad47e06ba8cbff4eba74a8d30f6578febdc |
0 |
0 |
NTLM Logon |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7c3dc15fbc51dea715925bf595cd0f9e0a02de70e6c439f34e6f1f0e05748574 |
0 |
0 |
NTLMv1 Logon Between Client and Server |
Tim Shelton, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f41fbbd0947ef225c285ff5ffa2c712a5531c440c2f84bb402d5d680c428563d |
0 |
0 |
Nansh0u Campaign (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
904193bc621aaa8bd679e31840889e7e0ebdd3012ad80cd285a787efa9a21a1e |
0 |
0 |
Narrator's Feedback-Hub Persistence |
Dmitriy Lifanov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
4064f97b1b93e3d50e6d45f091287083f57a4143e79079ddd4afcae5bd61545f |
0 |
0 |
Nemty Ransomware (LOLBins abuse) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
b6e935f32e1e64aba00eeea36dedcf16c051a067fc0bd9e45ea29c807851976e |
0 |
0 |
NetNTLM Downgrade Attack |
Florian Roth, wagga |
Sigma Integrated Rule Set (GitHub) |
567e3d1c926bd9cf6698fc92a1b61254aa80f7d149c421f1d6acbf4fc8492e5f |
0 |
0 |
NetNTLM Downgrade Attack |
Florian Roth, wagga |
Sigma Integrated Rule Set (GitHub) |
628b3cedd2ee451a4c293777e6a6b1405d7ff8640e456f6c947256490c60b5d7 |
0 |
0 |
NetNTLM Downgrade Attack |
Florian Roth, wagga |
Sigma Integrated Rule Set (GitHub) |
bec1f52073fc2866f36490eba29525c7075bac3d5209203cfda883af578ca4f8 |
0 |
0 |
NetNTLM Downgrade Attack |
Florian Roth (Nextron Systems), wagga |
Sigma Integrated Rule Set (GitHub) |
cf37bb8e1c6eb04a715e1acac3004996b87765e5a9a1641cd5f9ba489b398a21 |
0 |
0 |
NetSupport Manager Service Install |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
86ece89995af050381a2b0466e99f3f68df6961352036129bbf78c3197514256 |
0 |
0 |
Netcat The Powershell Version |
frack113 |
Sigma Integrated Rule Set (GitHub) |
0fd4e2409b6a9d2d52410acd12bed00a2c98b5907728ae24ee86bc36d470b52d |
0 |
0 |
Netcat The Powershell Version |
frack113 |
Sigma Integrated Rule Set (GitHub) |
16372019c3e1774b0a40174d12d8465e4bb4ecfac13a7148849c9b3d21282f37 |
0 |
0 |
Network Connection Initiated To DevTunnels Domain |
Kamran Saifullah |
Sigma Integrated Rule Set (GitHub) |
288ba98d65a38ea550d080181aee990f5c60c6f33847cc93008d1013e8880cd5 |
0 |
0 |
Network Connection Initiated To Visual Studio Code Tunnels Domain |
Kamran Saifullah |
Sigma Integrated Rule Set (GitHub) |
8354afdcc724ce9b16fb2cc840afa94ba9cb98ef3354ccd4ab587ce65c1ec859 |
0 |
0 |
Network Scans |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
45df53aa30dc2cfa8b51eefcfc5610c077a28dd2cc8dc1e231a33ea4a8787dd7 |
0 |
0 |
Network Scans |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
bb657f87ac9c438630487838d7c6786269418efb6f627897a245514632b7b71c |
0 |
0 |
Network Scans |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
bf8c0428428fa1278ad2e0afa0221c340e18931c689a1a74660e2b25a2a1860a |
0 |
0 |
Network Scans Count By Destination IP |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
0513b00d4770e8ba4e68a1bf68cab686e859e14797388dbcf6f51ea10f3042cc |
0 |
0 |
Network Scans Count By Destination Port |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
d59f72c28978b1e054ff60f91c7cbf0354f8d455e90795685535c1697fd3c945 |
0 |
0 |
Network Service Scanning Multiple IPs |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
d2d4bc90121c2e5cb6f3b7884fe1e4c06a3a4c61c381e33eaf549354d0929db8 |
0 |
0 |
Network Service Scanning Multiple IPs for Open Port |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
e06753fd5e71bee4c1603fb8e04f441b1a19e365ff520231341b58b5c9676d87 |
0 |
0 |
Network Share Discovery |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
7cda33e78a2e154cdc2a2bbeb41857926b105d3f9e7750e0d39c1a6db9bf9563 |
0 |
0 |
Network Sniffing - Linux |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
cec88cf573d8c7f5ff9c871e5caf9caf91adc563916947a89aad1491da2346ac |
0 |
0 |
Network Sniffing - MacOs |
Alejandro Ortuno, oscd.community |
Sigma Integrated Rule Set (GitHub) |
34a3b83c8ed31a73806fd506d538c5611d10141f5683c39ccd3e822a4e68da7b |
0 |
0 |
Neutrino Backdoor |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
66fad368237fdcb7d2c9e94af048b92829d15c4a440509d0cda553cfd8390ef0 |
0 |
0 |
Neutrino Backdoor |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c36594c085c33464fc5cde06dc8ae917de450f86a16aff6f5e7e0f6e3be73f2b |
0 |
0 |
Neutrino Backdoor |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d3b050f13506d1bf0507f478002af7a34e949fa40a2ef119fbc657f3a35de60a |
0 |
0 |
New ActiveScriptEventConsumer Created Via Wmic.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c96db484de175e1b250b8157c4e848f441ffb92c370fec9a85857f015c6b8db8 |
0 |
0 |
New Application in AppCompat |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
63f0997b285249bf20906023fb00f8eb00815314c790f67a70befd01625e8aeb |
0 |
0 |
New BgInfo.EXE Custom VBScript Registry Configuration |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c6dc6d76eeb648f8a6c7b792a7c0c0892cfb08761125a4917ff4e876629c6ade |
0 |
0 |
New BgInfo.EXE Custom WMI Query Registry Configuration |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cd2cf3c556d7f804607b107b1ab5b1607104083c3c10634112c146a750d4f896 |
0 |
0 |
New CA Policy by Non-approved Actor |
Corissa Koopmans, '@corissalea' |
Sigma Integrated Rule Set (GitHub) |
8481a3dfdbf2420e6f48e4ca174b2dda387b24d99a40fb5a1fa4df5cf6a2bd5a |
0 |
0 |
New Country |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
29a6e023b51fcc14d21b2ad6feb3cf459c7eba88739ece5f47a4bd331c43f7f7 |
0 |
0 |
New DNS ServerLevelPluginDll Installed |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
167ca4630ac31daedf547da8bb8695b2fbc83687b5dec49438c407766e74c574 |
0 |
0 |
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8a0b41208edc45c1f006ab6da0f12b0b819a810a16ba4179e2ef632571eafa18 |
0 |
0 |
New Federated Domain Added |
Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule) |
Sigma Integrated Rule Set (GitHub) |
417fdab2450cfa423afc0b94feb8ea1eb0170931a5d2ce9f976a27414d16ad70 |
0 |
0 |
New Federated Domain Added - Exchange |
Splunk Threat Research Team (original rule), '@ionsor (rule)' |
Sigma Integrated Rule Set (GitHub) |
f4d4fe5ce26b394500e7dfc03888ed545d49235853ec9648757339683a4382cf |
0 |
0 |
New Github Organization Member Added |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
dadac0757b2f6dc8f2424154d735c6e9f6debf3b040a084ea6bf09e1ee1c9951 |
0 |
0 |
New Kind of Network (NKN) Detection |
Michael Portera (@mportatoes) |
Sigma Integrated Rule Set (GitHub) |
2c77a5d96ace41090b3f0375df03933e67f7572906b0034e8b3ca88749d3cd95 |
0 |
0 |
New Kubernetes Service Account Created |
Leo Tsaousis (@laripping) |
Sigma Integrated Rule Set (GitHub) |
b33072321fe8e3e1762c87204aa773aa246a224e0170326322d1f3c83bef17f9 |
0 |
0 |
New Netsh Helper DLL Registered From A Suspicious Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
06d9285ce443fddf212ad5e266021a9b1330b6f5f5323f9f6ed98ecc7ef9183f |
0 |
0 |
New Okta User Created |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
54ae60ed9b91100a093c0cc068b4bbc869b014a835c812d89d99036067653144 |
0 |
0 |
New Outlook Macro Created |
@ScoubiMtl |
Sigma Integrated Rule Set (GitHub) |
6521fe44f6063c0c2459334902169e29975140f570d57f3ec5fb33d79f3b074b |
0 |
0 |
New PDQDeploy Service - Client Side |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7eef4b778bab8a20a8e7ed2a4e0dd59bf7640b39b56d4c814a4a1b8fda3b982a |
0 |
0 |
New PDQDeploy Service - Server Side |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
59adf824809d4236ddfb7abd94c5a9eb62364b1c2b75771aa0109c9a8883523a |
0 |
0 |
New PowerShell Instance Created |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
83cb47f5a4ddfd9c34da01fa9f873a03f0cc58cc2778580cc726de414c3c0baf |
0 |
0 |
New Root Certificate Authority Added |
Harjot Shah Singh, '@cyb3rjy0t' |
Sigma Integrated Rule Set (GitHub) |
f895ebfd80192a0790353f180cb2f6a41a074614617ff1a20d33797ff25a81ae |
0 |
0 |
New Service Uses Double Ampersand in Path |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
30edb61625037a72a7c9c3683c9e096a775cace99e1426de2d32b4b713f384a9 |
0 |
0 |
Nginx Core Dump |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7a4cd40845c7f590d81d5519efe14cb755da4ad7e8382cf1b793884653b688b5 |
0 |
0 |
Ngrok Usage with Remote Desktop Service |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9f2d0250a4d365231552edf3cd9a299a59fc19270a21bdf6c9c9bc153c1125c3 |
0 |
0 |
Nibiru detection (Registry event and CommandLine parameters) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
3debb91f02ff96ef7063287de5f4ac2a5b63133f3d2217b252f7ff735f72fe86 |
0 |
0 |
Nibiru detection (Registry event and CommandLine parameters) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
ea4bc0ae193b08ac5358d5794b10aace35e1a28e70fa3405a1b93acd3c30f538 |
0 |
0 |
Nimbuspwn Exploitation |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
d45d10c3028ea86b6785f4996bf142b5846384cffab3108857c060b1bf2603b0 |
0 |
0 |
No Suitable Encryption Key Found For Generating Kerberos Ticket |
@SerkinValery |
Sigma Integrated Rule Set (GitHub) |
0aa876d4a1f4fe38a455522a180c967c96786f0895f9da7fa36998a51eef77ed |
0 |
0 |
Node Process Executions |
Max Altgelt (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9202f610baa020320fb0754246900aef3eb9d7cab948cd7896901c509b02cb91 |
0 |
0 |
Non-privileged Usage of Reg or Powershell |
Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community |
Sigma Integrated Rule Set (GitHub) |
27c02a5e277091bc1c5b7d2a04365e89a8787ee68e58616afd80ef5c26aa04de |
0 |
0 |
North Korean RAT - BLINDINGCAN (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e8ccfecc9a57c342fda105daa1ce14b8913cb320d668dec39aa2e246fd6edbe7 |
0 |
0 |
Novter Botnet detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
f699b7b7fd20025dcb81e2586b58b97d0ba868dae7904c07e08849456012355d |
0 |
0 |
Nslookup PowerShell Download Cradle |
Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam |
Sigma Integrated Rule Set (GitHub) |
ff5075c1ab78a992ff2adc2a2049fe9b6d926c8bc64281be803d245f855dc985 |
0 |
0 |
NtdllPipe Like Activity Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2e75bd8ee8f295c82c9c13ed7f3e94a1842f9f875763967e88abf3169db8a501 |
0 |
0 |
Ntdsutil Abuse |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
210264616bb0095387dbc3e8c5912a1eb75faefd8724568bfc6ec716d5590cd5 |
0 |
0 |
Number Of Resource Creation Or Deployment Activities |
sawwinnnaung |
Sigma Integrated Rule Set (GitHub) |
72c0e900a73e61f8d65b8fc1bc7424e17ed6404f198817556ef1b8bf780307f9 |
0 |
0 |
OMIGOD HTTP No Authentication RCE |
Nate Guagenti (neu5ron) |
Sigma Integrated Rule Set (GitHub) |
37c2af49383c30c36d87b7215b22296e477d1b387c3b0c34cf3a3050d62099f1 |
0 |
0 |
OMIGOD SCX RunAsProvider ExecuteScript |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
1aa03e3c54881b2badbac443dfd964bb5e89d65f3a4230ddb1349cd55dd16701 |
0 |
0 |
OMIGOD SCX RunAsProvider ExecuteScript |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC |
Sigma Integrated Rule Set (GitHub) |
d532e92700eb248ec7d25152f456ce46ecee476d6fd76a7b3e07659c54d26855 |
0 |
0 |
OMIGOD SCX RunAsProvider ExecuteShellCommand |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC |
Sigma Integrated Rule Set (GitHub) |
5d1fd434b1c927d94f9fe4453395535db904af037d3b9d3ff45b6ef71c0f8e43 |
0 |
0 |
OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
57337e7a54cc7d5663f144c2d4051297cb796d11797ae6e1ca29ba67c27edb19 |
0 |
0 |
ONENOTE drops suspicious file |
Joe Security |
Joe Security Rule Set (GitHub) |
9da30d55d9e21d3f8584b2732c9e7ba8a9cd7d13d798b1d5ba2f6f08ba6b95cd |
0 |
0 |
OSACompile Run-Only Execution |
Sohan G (D4rkCiph3r) |
Sigma Integrated Rule Set (GitHub) |
ca74a6a906876b95e0e530fd08698135380244388eb4db27bbeb261db249db47 |
0 |
0 |
OWASSRF Exploitation Attempt Using Public POC - Proxy |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
70471eb8ea01df24c6272c80f1a2be1c1849c4bb340f16eb5f23d2afd29c1fb8 |
0 |
0 |
OWASSRF Exploitation Attempt Using Public POC - Webserver |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9de883be222a909e9e714b49ed60382523ea8a161272379006f861b0893bb5fe |
0 |
0 |
Octopus Scanner Malware |
NVISO |
Sigma Integrated Rule Set (GitHub) |
ad8390b7e69e5ce853f3c92ad2199323cf05de73cc23538d5f0c64b8f2ee6bfe |
0 |
0 |
Offensive tool MaliciousDLLGenerator. DLL side loading(Sysmon) |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
83567691787215050fc2832d1859c46eef4d6ec184c2e86675a1cda9293f9656 |
0 |
0 |
Office macro parent spofing injection |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
6633d004f33515072ffdd8f03f41910d3d9da5e01701655ea5e05259c72e6d05 |
0 |
0 |
Office starup folder persistance. |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
4f71ac3f10bbbdb0bda74ee81dba1206ffd26e184cc17f7391a0ca82ad838257 |
0 |
0 |
OilRig APT Registry Persistence |
Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
173b1203b0d58ac13e3b93542a1017cf3769eb4ba1be56bb4bc926e53578dc74 |
0 |
0 |
OilRig APT Schedule Task Persistence - Security |
Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6d4dbcdef02bddd827d8a0739ad5f31dc3844674ae32cf4be9de19c3e4202940 |
0 |
0 |
OilRig APT Schedule Task Persistence - System |
Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
481b18e9f3ae67f2f52eafd5f02566e687c982a62597a8333ec6c4eb21f97fc8 |
0 |
0 |
Oilirg's "RDAT "Backdoor (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
75f9172f5d8240599ba3e90228c244a661f19b8fecdf018deefea7ea69584949 |
0 |
0 |
Oilrig |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
ea4cbf16bdb71984f5023f3f7cb99896b2f2fbbc624e3fed169da1b645de6150 |
0 |
0 |
Okta 2023 Breach Indicator Of Compromise |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
6026ed3790b2aa3986a451e5a9c5cb93f12dc49b7030b43e07e6a47de78cfcb8 |
0 |
0 |
Okta API Token Created |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
37c62bd2bbcddc4acc9d1a5790917fced5f8bffd7529d17806bae479015d0438 |
0 |
0 |
Okta API Token Revoked |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
0f26d84e2eba3bdbd5a67b63c111a77e2d63546e74143de49507314c059c0fd2 |
0 |
0 |
Okta Admin Functions Access Through Proxy |
Muhammad Faisal @faisalusuf |
Sigma Integrated Rule Set (GitHub) |
0e9de7c900164c5bea39c2c5c73d106cba774765e0fc722e969d103f20a92aa3 |
0 |
0 |
Okta Admin Role Assigned to an User or Group |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
76ee74749375861af873800c29031bf76c1d499b124d9ea839ba8c40dee90c8e |
0 |
0 |
Okta Admin Role Assignment Created |
Nikita Khalimonenkov |
Sigma Integrated Rule Set (GitHub) |
e3d5e3ef17a28bac74c3e7ed411b661907b14d44a1a21980db9472325c016b8d |
0 |
0 |
Okta Application Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
5146d9202bfee99aebeefa43c786b2e3719434b3ce05ab72c3c3b42d285cebe5 |
0 |
0 |
Okta Application Sign-On Policy Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
2ef17e10bfa93f6d655fd5a9f9191f5ac2f485b9a0dd458d450ad6d3337261e9 |
0 |
0 |
Okta FastPass Phishing Detection |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
4da6d0189181bf3a884e17c8f8db08b98a52cadbd79f7887e5d40a296a0d087d |
0 |
0 |
Okta Identity Provider Created |
kelnage |
Sigma Integrated Rule Set (GitHub) |
69d3902e2630392d5c7090797ced750c8ebb671d5e42f47f7870ac50282c0755 |
0 |
0 |
Okta MFA Reset or Deactivated |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
ec810333c5b5e59400842656cc184df2783f47b5b55d0030bfa5a4f21568df9c |
0 |
0 |
Okta Network Zone Deactivated or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
fe00ea6d901a92c5ecc5302f0e36994a890f1b517bb02510b6a368f421ec89c9 |
0 |
0 |
Okta New Admin Console Behaviours |
kelnage |
Sigma Integrated Rule Set (GitHub) |
eb340ef7be2c9cb3efa0549932d10d9f37e9bb1d79dbd150c12543babb9f95f1 |
0 |
0 |
Okta Policy Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
1c210d6fdbd5b2ba495cbd1a803fad26f2c34786e6b979f4ce8e88872a25db23 |
0 |
0 |
Okta Policy Rule Modified or Deleted |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
ae0100a24042add9897a943949ccd1e1e3f8c310cd5979cf48accbce725cd423 |
0 |
0 |
Okta Security Threat Detected |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
82f25417bf76cf8b64d66b26bf54c4850a4187772d8094d02f3f8eb64bc20bf4 |
0 |
0 |
Okta Suspicious Activity Reported by End-user |
kelnage |
Sigma Integrated Rule Set (GitHub) |
6bbff41a6216bb536bc26c995451302370148db5c2e04233dedfaf9dbb7bc355 |
0 |
0 |
Okta Unauthorized Access to App |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
4ac129ccafdbbfad46a3392c4e73182ba5823ac3df49ac7d3e35e10cbf159b2a |
0 |
0 |
Okta User Account Locked Out |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
713536374c2a86507e8c3738a171b0b1ab7398e3b84b9a491e14890485ff6bb7 |
0 |
0 |
Okta User Session Start Via An Anonymising Proxy Service |
kelnage |
Sigma Integrated Rule Set (GitHub) |
7201e9464f102ca8e21b9546bd23a1cbf359ad574a89098388cadd16d29a8aad |
0 |
0 |
OneLogin User Account Locked |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
989ec67196bdfe4759541550bbddc7a6be65ecf2debfc15598f3768a4000df04 |
0 |
0 |
OneLogin User Assumed Another User |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
f0eee7a94251a99b6a747dc186b09c26d9850f1e61d9cbcb7a5939e633565f04 |
0 |
0 |
Onyx Sleet APT File Creation Indicators |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
242c6137949513e785765dd342fee445a4ad020326a1e9660877eb47bcc455f5 |
0 |
0 |
OpenCanary - FTP Login Attempt |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
58b33e5602cceaa5a577e5cea9c030e8f3259c7cc252f6cd08eb3e0cf24c2ae5 |
0 |
0 |
OpenCanary - GIT Clone Request |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
9333eda34c79883676f76e701be7aaca43a867b942892f6f66e1f87cdc5e40c3 |
0 |
0 |
OpenCanary - HTTP GET Request |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
a2338d9de2c3720aed5072e7eae57da07252ad8acb0b21aa731a00f836e3aa96 |
0 |
0 |
OpenCanary - HTTP POST Login Attempt |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
e5081f3e43c5a12b29cf04c26c5d0aed63e36d3a625cfc3b0b1937e6eb81e495 |
0 |
0 |
OpenCanary - HTTPPROXY Login Attempt |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
689fa0fb65b5a7c5ff079146c1527db2d9f9108d904f70b03e12444bae251599 |
0 |
0 |
OpenCanary - MSSQL Login Attempt Via SQLAuth |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
6bd549e3820eb117fa8818aa0ccfedca87af749df250dc1dccfddb309fec0fa3 |
0 |
0 |
OpenCanary - MSSQL Login Attempt Via Windows Authentication |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
b5fdf58437f839cb1a9bcf31d1ba5ccf03578c65244d0b5ba4abc24f546ae501 |
0 |
0 |
OpenCanary - MySQL Login Attempt |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
fe0897ebb174510d657dd2dae645787156ac4b0016b68584c9329cef4cbed174 |
0 |
0 |
OpenCanary - NTP Monlist Request |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
39b4415be3f7286ef04fafd79a27fb4200d037a0d29815b34aaebe36ab7b1fe8 |
0 |
0 |
OpenCanary - REDIS Action Command Attempt |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
4248cf2a19280fa7a55967b93ebd7a0d3aff7106fa49d7216be7d12e1795b114 |
0 |
0 |
OpenCanary - SIP Request |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
263931e3c504faf456feaa532846356e5b7702b5691069bf621216b9a59e767c |
0 |
0 |
OpenCanary - SMB File Open Request |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
8f3d2962c3bbfb397a7b41c8144162baa499408fa9b440f030d4a17c01227b09 |
0 |
0 |
OpenCanary - SNMP OID Request |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
d709611ff95566f2388c932383ea81de31e7bced597ab1cb2355549614ac533b |
0 |
0 |
OpenCanary - SSH Login Attempt |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
e7c0bef7207d53d44834e24beb809dd5c9c5d1c6ecc8f06433a3d2c5eb3390dd |
0 |
0 |
OpenCanary - SSH New Connection Attempt |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
fe4d9241c40e3cb920d3c256723edf2d7f6a4a7e91d8a39f31ea04fe96e261b5 |
0 |
0 |
OpenCanary - TFTP Request |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
82420b5dd3ca5ded3ff0423f7dd0fde415919d18f603f31d241f7798322bd019 |
0 |
0 |
OpenCanary - Telnet Login Attempt |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
27b505b0c058a311ad88d93d3647ddfcdaa98b7002439b9ef798564fb10f5fc1 |
0 |
0 |
OpenCanary - VNC Connection Attempt |
Security Onion Solutions |
Sigma Integrated Rule Set (GitHub) |
1135b67cac53d9dc03bc41e41e4001e28fd570f7a292ee2d0a6e910703f5ea4f |
0 |
0 |
OpenSSH Server Listening On Socket |
mdecrevoisier |
Sigma Integrated Rule Set (GitHub) |
c60669725183d6b8f87e7372de3a80eb4651a08386152acbc38a4dbfabb5a290 |
0 |
0 |
OpenWith.exe Executes Specified Binary |
Beyu Denis, oscd.community (rule), @harr0ey (idea) |
Sigma Integrated Rule Set (GitHub) |
ea5ec4a6c95de7e028405041a4052a38c12bd6345847e628f0b4ed6648db62d1 |
0 |
0 |
Operation Vicious Panda (COVID-19 Campaign) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
ed562e5af5aba4e5887ef8b69c3f8410480a32e19b5c9e3f3fcd9bd0fd33a447 |
0 |
0 |
Operation Wocao Activity |
Florian Roth, frack113 |
Sigma Integrated Rule Set (GitHub) |
0981b6a6bd3a352e954d4f808351eef72bde12f597fac067385a86f67f28169f |
0 |
0 |
Operation Wocao Activity |
Florian Roth (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
2e30c366dcaa537ae7d98a978f19c3a6bbf9b459e177978af689a71981ca468f |
0 |
0 |
Operation Wocao Activity |
Florian Roth, frack113 |
Sigma Integrated Rule Set (GitHub) |
41500c83cd93f90f6d367be3449920cac482603fa9b7f4137f2576feb2ba50a8 |
0 |
0 |
Operation Wocao Activity |
Florian Roth, frack113 |
Sigma Integrated Rule Set (GitHub) |
d4c0402f67c8a3748cf75523ef859b1c3b31b2503661858ec74bc3b5c7cad0af |
0 |
0 |
Operation Wocao Activity - Security |
Florian Roth (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
a0774a9062d671fa2115dde2a5620ddb95c39200fc4fbcd5a7504ced2408c516 |
0 |
0 |
Oracle WebLogic Exploit |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9bfd34293b2b68ab59c38057b018b43e4604ddd974aedeb628eb74f48467b2af |
0 |
0 |
Oracle WebLogic Exploit CVE-2020-14882 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
82dda926865821ca5e8c3ddb93fc4f69772bb79643d23c061dc2f359fcb25cee |
0 |
0 |
Oracle WebLogic Exploit CVE-2021-2109 |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
58f3096519d091461dc02d540c9ad2e2714378fc856af5b52dcd246cf062437e |
0 |
0 |
Orcus RAT detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
4c082e44fc924f698907583aefcedc31f3b0d4bfbcf17059818ff8c45ff15b60 |
0 |
0 |
Orcus RAT detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c71576208518c999b7feba529c697771d91ca38beb7d087c1d8ae78eba2c5bb0 |
0 |
0 |
Osacompile Execution By Potentially Suspicious Applet/Osascript |
Sohan G (D4rkCiph3r), Red Canary (Idea) |
Sigma Integrated Rule Set (GitHub) |
534e5f09aa8a2711bf32fe1f48e5aaae7c1eb54edca4a45d15d4d2a1d5777d12 |
0 |
0 |
Outdated Dependency Or Vulnerability Alert Disabled |
Muhammad Faisal (@faisalusuf) |
Sigma Integrated Rule Set (GitHub) |
ce19b38916dff269959912516d6e91e3e6f381758112858a696b9b90bfb23faf |
0 |
0 |
Outlook EnableUnsafeClientMailRules Setting Enabled |
Markus Neis, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3cd123419934970c6f512e6e89c3d16dbd5f83ef619f0a253215253f742ab328 |
0 |
0 |
Outlook EnableUnsafeClientMailRules Setting Enabled - Registry |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
913a691c5abac0b7049954b34a71854907dc501135b328da661014f7ce608eae |
0 |
0 |
Outlook Task/Note Reminder Received |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d8b055908e57ae42312b98158e8c1827c3b7cb201596b07618147fa83c9b34b0 |
0 |
0 |
Overwriting the File with Dev Zero or Null |
Jakob Weinzettl, oscd.community |
Sigma Integrated Rule Set (GitHub) |
fb9c58953377bc9ef08cbec4e7921e8bfd0bcea1b91c79a56cd7f21e179f5514 |
0 |
0 |
PAExec Service Installation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b43a695c8cacf079c156ddcafc854daf0eca84e4b780c7208ee36076669f0506 |
0 |
0 |
PCHunter Execution |
Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
ea00000057824b59ab7e9a01e0fc3ee6282e5c8aa26a9cba0add0c404627ba7e |
0 |
0 |
PCRE.NET Package Image Load |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
314e0194b44c70b9c92c8fcd5ab2295e9f0c5d034db71b856dc14098ba319f82 |
0 |
0 |
PCRE.NET Package Temp Files |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
298754861fb9b51e8da2c4490353502093fe96a301b2c943df1e6d6ccc641ea8 |
0 |
0 |
PIM Alert Setting Changes To Disabled |
Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' |
Sigma Integrated Rule Set (GitHub) |
cb2c7a5d6e74e1d7a58dbc90a045ce1d7a9f5435192be53ba97f900e4fcee238 |
0 |
0 |
PIM Approvals And Deny Elevation |
Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' |
Sigma Integrated Rule Set (GitHub) |
9acb40e5ee2c0bff46a5d9bdef2794faf9e98ed7660b3db8f02503e3b740e167 |
0 |
0 |
PSEXEC Remote Execution File Artefact |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
230eb390fb6e2817dab9db2bfdbd023d78fbb329780d18ebee7e7ac22229c90b |
0 |
0 |
PSExec and WMI Process Creations Block |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
d5f9283f29961f497c15a772fe3eaf3852c91aaeca1034ffa8fbac0ad1e65b32 |
0 |
0 |
PST Export Alert Using New-ComplianceSearchAction |
Nikita Khalimonenkov |
Sigma Integrated Rule Set (GitHub) |
78bfc233a44388751d0901e53bedbf16ae3ac91b77a7f520b03e1fe755288f67 |
0 |
0 |
PST Export Alert Using eDiscovery Alert |
Sorina Ionescu |
Sigma Integrated Rule Set (GitHub) |
c344baadde7ac55358039b7ea1d02ebd12220869f1ebe3df94888063dd78d8d8 |
0 |
0 |
PUA - Adidnsdump Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5fcc3dcdd38e008741a75f024bab3a696ef8d9b4feba961448f2bbe027db5cf8 |
0 |
0 |
PUA - Advanced IP/Port Scanner Update Check |
Axel Olsson |
Sigma Integrated Rule Set (GitHub) |
e940965433a2cc92fc31e2792e173909b90acd90237f0586703e61591ef0a0d6 |
0 |
0 |
PUA - CSExec Default Named Pipe |
Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
edd6b274dc00acb7d7d2932d7d705fc3bb483b448b5c28b78ba53956ea5bf006 |
0 |
0 |
PUA - DIT Snapshot Viewer |
Furkan Caliskan (@caliskanfurkan_) |
Sigma Integrated Rule Set (GitHub) |
203a47b7ef9f6721efefc8005ca1492daf475a9b03afc70af3fde9780df06253 |
0 |
0 |
PUA - Mouse Lock Execution |
Cian Heasley |
Sigma Integrated Rule Set (GitHub) |
3d2c6b32d1108da7c43b45888b3ec8440d9177641036131235b6409be1771ff7 |
0 |
0 |
PUA - PAExec Default Named Pipe |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dae4bab545d2170f8c4ba261aa915411c5e88f7bc7c9c202844f7d4dfaa46ed6 |
0 |
0 |
PUA - PingCastle Execution From Potentially Suspicious Parent |
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2c018dcbeb4d1cb1cb608ee8206c7c9051b1907cc64c175ffff7d080ad6e9d0f |
0 |
0 |
PUA - RemCom Default Named Pipe |
Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8701a7d6b05632d8957dd9d58a5def27cd25ab60591062c7829d17dc4b8689f6 |
0 |
0 |
PUA - RunXCmd Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dd83088cd2165f94f85ef74a40370155c40633c897626c46ec18f8e51bf5fb55 |
0 |
0 |
PUA - Sysinternals Tools Execution - Registry |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
31af484ddac8c57fe9360290fce72392b7f61a6219f537208279dede0651a785 |
0 |
0 |
PUA - System Informer Driver Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
377b9450d36e20bc9eaebae30e773e6035bdf9aa23366599f86d34ae06826f3b |
0 |
0 |
Pandemic Registry Key |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1280d1699ff038c66a632a34d113a985abe94aba7a198de85b3dec7e8c56e432 |
0 |
0 |
Pandemic Registry Key |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
83870fe1bc3919a21d0e4bfe80e46298d498a92fede413336e99c62c736fde77 |
0 |
0 |
Pandemic Registry Key |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
94c2e0c66ba5ec7b925ceb0b07bd496ceb43525c621caa6b3a18048c1c9ffd88 |
0 |
0 |
Pandemic Registry Key |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
a1ba081fa2fecc17406857322da10c42bfd5d39b025a35029fa0fe1b55760821 |
0 |
0 |
Pandemic Registry Key |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
f3d343e52cbeb2af747dd246bd8ea56b0de2c474c81d88ef7e6cd844d31fe85a |
0 |
0 |
PaperCut MF/NG Exploitation Related Indicators |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d4bc1833ea3209fde8ff3f446e8b87f1fe90655c123167d81fb5baf89b952c2b |
0 |
0 |
PaperCut MF/NG Potential Exploitation |
Nasreddine Bencherchali (Nextron Systems), Huntress DE&TH Team (idea) |
Sigma Integrated Rule Set (GitHub) |
e7c0f6be4c07f1ad2f6f3f706f828afdc4c66e76b81bcf6b6f6acd69a19ad218 |
0 |
0 |
Pass the Hash Activity |
Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) |
Sigma Integrated Rule Set (GitHub) |
28b05b77c561c979f988b8e68e0fd7bee5c3d69bebf583aefab5e6c03dbd30d4 |
0 |
0 |
Password Change on Directory Service Restore Mode (DSRM) Account |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
d5526765d05068ba3b4fc756226bbb23764077a29b90a8d1b182c52b27247a96 |
0 |
0 |
Password Dumper Activity on LSASS |
sigma |
Sigma Integrated Rule Set (GitHub) |
25dff248d062d94230b27dc2516c0e2a98f6760f4b5d93f07871a0f48b12c990 |
0 |
0 |
Password Dumper Remote Thread in LSASS |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
68e65c1d21220f970cb6860795f7c6918fb617b028d783bcc58af027c5ee078c |
0 |
0 |
Password Policy Discovery |
Ömer Günal, oscd.community, Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
70af2a777246077f95f00d88094a0d2d36234fe41d5cb79303b751759b327351 |
0 |
0 |
Password Policy Enumerated |
Zach Mathis |
Sigma Integrated Rule Set (GitHub) |
9d40f55c895ee82ec994566c6fac446512025d88d880a1ab97023fc27e4f859a |
0 |
0 |
Password Protected ZIP File Opened |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
eb33357ccb75fd5dba059c522da5c8442a7a91ffc70415de3339f526ac8c5082 |
0 |
0 |
Password Protected ZIP File Opened (Email Attachment) |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
187ce23c1aa8e0dc7011c68b8294c8501a17467c7ee31fbb5d001d1e296cbc34 |
0 |
0 |
Password Protected ZIP File Opened (Suspicious Filenames) |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
05393000658165d71f04748ec6b135470c44474d0a610a95611c3ebdfe50ffd2 |
0 |
0 |
Password Reset By User Account |
YochanaHenderson, '@Yochana-H' |
Sigma Integrated Rule Set (GitHub) |
8d765da0a95268a2b6989a5f346c32e9ddf62e5d6733097120ff6e1d0bc6fd70 |
0 |
0 |
Password Spray Activity |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
8d0dc49bd433b55f8ad62323dad546e53fbb9e5193988acf7a8441f4f014ff99 |
0 |
0 |
Path Traversal Exploitation Attempts |
Subhash Popuri (@pbssubhash), Florian Roth (Nextron Systems), Thurein Oo, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
773cff12ec7cbfc99bc118e98518f2e0050d70dca13977467d5ec706e1253a9d |
0 |
0 |
Peach Sandstorm APT Process Activity Indicators |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4d6ccffdf3a551868afd13a09fd2f50c35943055c4e90b9d005e37762418ce73 |
0 |
0 |
Permission Check Via Accesschk.EXE |
Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cd3d7a697c3c3677aa8da2c29a31ba2c427c6efdde2818deab23f432540c2193 |
0 |
0 |
Persistence Via Disk Cleanup Handler - Autorun |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5ab9ef90123e539e99d776a0e46999b9821c4732f3eceac62021cd8fb8c88e80 |
0 |
0 |
Persistence Via Sticky Key Backdoor |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
62e0a8cc199a4d0a9766d75ef3213180a3865b74ce2be5948d1bc1fc5aa68e49 |
0 |
0 |
Persistence and Execution at Scale via GPO Scheduled Task |
Samir Bousseaden |
Sigma Integrated Rule Set (GitHub) |
261e256e88ce2c0fee286d620d8ff6e77e8cd38f8b7edfda21eb83ac8d48a9b5 |
0 |
0 |
PetitPotam Suspicious Kerberos TGT Request |
Mauricio Velazco, Michael Haag |
Sigma Integrated Rule Set (GitHub) |
ea26c5b32a6c3921fdfe6b9e3d229e17679f51ee8479750522d3af1a3e499d7e |
0 |
0 |
Phorpiex Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
49cbcdd3c2bd2982afc88c5858d00892e8d508453878c1a3cd42562042976e54 |
0 |
0 |
Pingback Backdoor |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
12147457a137c617a8c55dbaedd9bc3c0cec1a58f0abd3a364a57af2b9dc7967 |
0 |
0 |
Pingback Backdoor |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
5c3e50d74286082eb71b88893a78ffa754ccb9d60b9acce0bb0b8cb91d5ba31d |
0 |
0 |
Pingback Backdoor |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
f384452415580cfacef78ec66267f7d0bfb736fee4faca1b9d7d41f0a7975af2 |
0 |
0 |
Pingback Backdoor Activity |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
6445b62d62c302592ad18186139719c0e819f43d9a6beed3bf0ab7f2d451d194 |
0 |
0 |
Pingback Backdoor DLL Loading Activity |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
ea92810a14a762b008597bcf3399fe14869e0f793089b7e162701a7be5def9bd |
0 |
0 |
Pingback Backdoor File Indicators |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
25fa9043dc7fef1e4d5f8f2c702b53d1134ca5d490bae826fd7ecf2551f3e2ce |
0 |
0 |
Ponmocup Malware Behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
552054511e656c379a350ba0be389fc00411a46c49cefaa5969933937782bd7f |
0 |
0 |
Possible CVE-2020-1472 (zerologon) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
004fb7066c5a25b3f6a6420c6a8725fbc30258b16fb591b4c9b86b9da893d74d |
0 |
0 |
Possible CVE-2020-1472 (zerologon) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
b2199e218352cf6a91e1a9ea26af1aa07e66c291293a802c8fdf82966b40dbe4 |
0 |
0 |
Possible CVE-2021-1675 Print Spooler Exploitation |
Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
bead488a4543b9f760689bdc7093fc4540098b5bcf3c09c678976c6ed6354eb2 |
0 |
0 |
Possible CobaltStrike PsExec filenames (via audit) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
733bf87ef65e4345273fe19b29d4ece1a8f2959d0e60073864e1596be59171e4 |
0 |
0 |
Possible CobaltStrike PsExec filenames (via audit) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
a2858e2b79b3da9a5b4d1304cbcd84acf91d6a6062ca5f095b0d774272030879 |
0 |
0 |
Possible CobaltStrike PsExec filenames (via audit) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
a321323d7d6157b4259e681855280c87bb847b7bc7874bc3fabdbdf23ec563c7 |
0 |
0 |
Possible Coin Miner CPU Priority Param |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
066bf65181967c1e98ac2f9df11a8fd671e19d04a92efcac223bb0d380b06fdf |
0 |
0 |
Possible DC Shadow Attack |
Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah |
Sigma Integrated Rule Set (GitHub) |
b2fec2248b287bf7e5d5226c97e0e035d64995c904571c48230b8adac0240d6b |
0 |
0 |
Possible DCSync Attack |
Sagie Dulce, Dekel Paz |
Sigma Integrated Rule Set (GitHub) |
186f4002dfd67833333c33662a78269f441aaeb8d7fb391717c493a0245291e1 |
0 |
0 |
Possible DNS Rebinding |
Ilyas Ochkov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7a69b135d65a01f7902597771e9c5634482fc44f6a01ddde76c647a9b293f852 |
0 |
0 |
Possible DNS Tunneling |
Patrick Bareiss |
Sigma Integrated Rule Set (GitHub) |
e597452786d564a9ef7996902a2c2c93c77f558932cbf4f4bdf5a3bc3bd8414f |
0 |
0 |
Possible Data Collection Over SMB |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
ac79c3ded0f25a49a60eeb6806049f4e21c47eff774ed79ceb760b8377ace4c6 |
0 |
0 |
Possible Data Collection related to Office Docs and Email Archives and PDFs |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
d6ed6d774c0f9d1aa8f9e7c8d6e850cccf5682e206f4cf08de83bda6b90994fb |
0 |
0 |
Possible DePriMon activity (via registry_event) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
05a6eb84ba469846def921f914e3d8b9fbdd2692488b9f37c291938d73de1a2c |
0 |
0 |
Possible Directory Traversal Web Server Attack |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
c49479c5356b52e94528e552ed642e4987c6a5c700ed76ebe1536af2231219d0 |
0 |
0 |
Possible Exchange CVE-2021-26858 (via audit) |
SOC Prime Team, Microsoft |
SOC Prime Threat Detection Marketplace |
e69ddf941adc94abece38df217d775b76868df2e2ea22a1ec52a70e9f236fe22 |
0 |
0 |
Possible Exchange CVE-2021-26858 (via audit) |
SOC Prime Team, Microsoft |
SOC Prime Threat Detection Marketplace |
ff377bfd583855c832c7dd822b71dcb07ea79b550063b031c7e96add1d6524e5 |
0 |
0 |
Possible Exchange CVE-2021-26858 (via file_event) |
SOC Prime Team, Microsoft |
SOC Prime Threat Detection Marketplace |
0fe11fe110197a5d21d1f4c9b2fed3e8f8afe8066ffa9242e24a9a95abe2516a |
0 |
0 |
Possible Exchange CVE-2021-26858 (via file_event) |
SOC Prime Team, Microsoft |
SOC Prime Threat Detection Marketplace |
99b35216607149affdfa929b0e387d69d2806cbefee2308c2735848d194d344d |
0 |
0 |
Possible Exploitation of Exchange RCE CVE-2021-42321 |
Florian Roth (Nextron Systems), @testanull |
Sigma Integrated Rule Set (GitHub) |
5a40221e67f7aba15ef82f3d0d7b2b844f8ae17825570bff630c88811cc4ad61 |
0 |
0 |
Possible F5 BIG-IP TMUI Attack CVE-2020-5902 |
Roman Ranskyi |
SOC Prime Threat Detection Marketplace |
218640966c9d97eb1eff96fd1e484617b91f4df0ea75bcf0e4e5cb6fdf8d99b6 |
0 |
0 |
Possible F5 BIG-IP TMUI Attack CVE-2020-5902 |
Roman Ranskyi |
SOC Prime Threat Detection Marketplace |
6479d3a228183d5f5cbc12cf06692c41fdde83f2aeac8f71a156a2a48b648a32 |
0 |
0 |
Possible F5 BIG-IP TMUI Attack CVE-2020-5902 |
Roman Ranskyi |
SOC Prime Threat Detection Marketplace |
716a5ff18b2ab00b814d6e1cddf7647371f09788e189c010c793f26da08fd75b |
0 |
0 |
Possible F5 BIG-IP TMUI Attack CVE-2020-5902 |
Roman Ranskyi |
SOC Prime Threat Detection Marketplace |
88b5d334ee9ea111b57d657cd139707d075dd8ed6627da16a793126604d859dd |
0 |
0 |
Possible F5 BIG-IP TMUI Attack CVE-2020-5902 |
Roman Ranskyi |
SOC Prime Threat Detection Marketplace |
c1f2f68a9cff2de7103eeb1fd31cdbaf1b6fa00837c80f48223a78b3610f8eee |
0 |
0 |
Possible Flash 0day execute embedded in Word document. (Sysmon) |
Roman Ranskyi |
SOC Prime Threat Detection Marketplace |
b817381a55e4395f3432afdeaba45bc656fe1d69add003ca93890ee9dbb88dc8 |
0 |
0 |
Possible HAFNIUM Webshell March 2021 (via web) |
SOC Prime Team, Micrsoft |
SOC Prime Threat Detection Marketplace |
3f570551a3f5298bb8ffcdbfa6a8a34da33b20e2466ac118693efa67b24e4b43 |
0 |
0 |
Possible Impacket SecretDump Remote Activity |
Samir Bousseaden, wagga |
Sigma Integrated Rule Set (GitHub) |
d662c9e44d08cdfba8767e63ec2258087b3839be1275833c535955e8dfdc962a |
0 |
0 |
Possible Impacket SecretDump Remote Activity - Zeek |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
0f0d88d275fc1726d496bdd1f93e157e9474e735b61dce0f2a1a7e62b73aa4d0 |
0 |
0 |
Possible Impacket SecretDump Remote Activity - Zeek |
Samir Bousseaden, @neu5ron |
Sigma Integrated Rule Set (GitHub) |
9817f9971438f3d35c3ff932f369427b842af1830ee9d876b82315c2af4ec94b |
0 |
0 |
Possible MS RDP Worm activity aka "BlueKeep" (CVE-2019-0708). |
Roman Ranskyi |
SOC Prime Threat Detection Marketplace |
4f9d5b07a08c2a6f429d46dd58004d7b7cd97555012e4b197608622358100e0c |
0 |
0 |
Possible Malicious Docker Image was Uploaded. |
Brandon Hart |
SOC Prime Threat Detection Marketplace |
8883f6245da8667a77cc2858555fe077b1437141d61a2ce027184b194828a850 |
0 |
0 |
Possible PetitPotam Coerce Authentication Attempt |
Mauricio Velazco, Michael Haag |
Sigma Integrated Rule Set (GitHub) |
8b1c0d38f0e9f17fd31e1b3ae1092dd248b2ae07a01e4a431516fa46995b8d0f |
0 |
0 |
Possible PrintNightmare Print Driver Install |
@neu5ron (Nate Guagenti) |
Sigma Integrated Rule Set (GitHub) |
ad5c13aa09c3e5f96d8d44e50e12cbf519a648471259976a40654ceb7215e58a |
0 |
0 |
Possible Privilege Escalation via Weak Service Permissions |
Teymur Kheirkhabarov |
Sigma Integrated Rule Set (GitHub) |
6a8c7191c56707b059d6c77b850fd9a1f9bc6c202dd771d100565edecef8686b |
0 |
0 |
Possible Remote Password Change Through SAMR |
Dimitrios Slamaris |
Sigma Integrated Rule Set (GitHub) |
b1713847a4daf31e020cbf71527ef33d0662b5c19661263ab551e6ad9fd67ab6 |
0 |
0 |
Possible Ruby on Rails CVE-2019-5418 PoC |
Roman Ranskyi |
SOC Prime Threat Detection Marketplace |
6fba8939e048342afcf17dfc048d360bac3d5b6624cf12a22d156736dd818870 |
0 |
0 |
Possible Ruby on Rails CVE-2019-5418 PoC |
Roman Ranskyi |
SOC Prime Threat Detection Marketplace |
75865efeda875bb8b0aac82fb3b5a47ff0e7f843016157ee8942621977061407 |
0 |
0 |
Possible Shadow Credentials Added |
Nasreddine Bencherchali (Nextron Systems), Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
3ac58da064a3212ab62b43328991ce32be6d99ccf2d321b3a2e95bcd32091c2b |
0 |
0 |
Possible Unknown Exchange 0 day March 2021 (via web) |
SOC Prime Team, volexity |
SOC Prime Threat Detection Marketplace |
b9468847ca9a6e3d39ea2b21395d1127e2ffa91f808f3fc8942ef0d65b7f12f7 |
0 |
0 |
Possible VMWare vCenter Exploit CVE-2021-21972 |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
42df827de0dcea1b983942ba353a02fb956b2fde9a0ad6588f317f9ffd56110b |
0 |
0 |
Possible VMWare vCenter Exploit CVE-2021-21972 |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
b9b880760f2efb391cc1fc7cb12a935b3838db71ee45575fc112bbe9b4a306a1 |
0 |
0 |
Possible Webshell - Rare PUT or POST by IP |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
12b4ca0d87e88664b966d19bd99b3ccc51ff3c7ee9c0a5458b0f0675a0cd65cc |
0 |
0 |
Possible Webshell - Rare PUT or POST by IP |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
7a8435fc28a2572f17ab389949908468b06e249365c83e2203a00baa233b8eb2 |
0 |
0 |
Possible Windows Executable Download Without Matching Mime Type |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
815d6d2c68a3ef44716300a07a6814032d253de34cd2f2be2648db1efc8c3b61 |
0 |
0 |
Possible Zerologon (CVE-2020-1472) Exploitation |
Aleksandr Akhremchik, @aleqs4ndr, ocsd.community |
Sigma Integrated Rule Set (GitHub) |
e4567b8b5187e55fdafa46896fe44aa16e80e8299fdf616562294969ae32c7a6 |
0 |
0 |
Possible emails/attachmets extraction by Emotet |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
413ee025b8a23df869f7342778fc274599e24cfb881e26cde55b06feddae06bd |
0 |
0 |
Post CVE-2017-5638 exploitation |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
f0750e1ec35c54a3e4b96c31c30c90992261adc3f0dbfc07f1c841b4cd0b5be0 |
0 |
0 |
Potential AD User Enumeration From Non-Machine Account |
Maxime Thiebaut (@0xThiebaut) |
Sigma Integrated Rule Set (GitHub) |
1a4024d9c095d28a1da18eb257926feded8ec7d7ea03762f6eab63b22a41721e |
0 |
0 |
Potential AMSI Bypass Script Using NULL Bits |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
94da285d1058a55c822bdfec3f469a4fcf37f0b3217591da9503bc50ae05655f |
0 |
0 |
Potential AMSI Bypass Using NULL Bits |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
054dbba8c1d1faafff40931cbfdd4d09a23d3459cfad14e5dd89db657677536e |
0 |
0 |
Potential APT FIN7 POWERHOLD Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d17ea5be7d772d983fe2447b9108465dfff299fde4e45820d3f670714f8207c9 |
0 |
0 |
Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1e370cd2fa88cbb7648b059f66e73bf1af9f8755885ca85e022768f679e4da55 |
0 |
0 |
Potential APT FIN7 Related PowerShell Script Created |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5fb75fc0baebfac35cd9d6515913d97175994556d758f7879fb483e528a58685 |
0 |
0 |
Potential APT Mustang Panda Activity Against Australian Gov |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
09c4fe58b3cc0fc08b7125827492b9d4ea6ad1ae52befdeb33f268eee8b2d7d4 |
0 |
0 |
Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 |
Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fa6fe737f5145762e909801e31b442ca6e73fb112f26179762cd60b5c64a4867 |
0 |
0 |
Potential APT10 Cloud Hopper Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
860cd791b52ed03d76e2842429f67b1ac870f8f77a5a09b472fbbf3c964ee708 |
0 |
0 |
Potential AVKkid.DLL Sideloading |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
567023ddc2833cc725f7364853a2f92117ec5f472dfe49a0f3b50e094fe5c901 |
0 |
0 |
Potential AWS Cloud Email Service Abuse |
Janantha Marasinghe |
Sigma Integrated Rule Set (GitHub) |
1f0cc71727a1277e80f2ce9d508865b93122a086b90c6814c8c079f81baebcf3 |
0 |
0 |
Potential Access Token Abuse |
Michaela Adams, Zach Mathis |
Sigma Integrated Rule Set (GitHub) |
46732bf62a468ba6d41a49d14771d1c58895412b420d96244c0afdad9e6e2350 |
0 |
0 |
Potential Active Directory Enumeration Using AD Module - ProcCreation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
fd3e3db7d1c143a5c775264d1b9a8768986b744bdbb9b43836d78859b52e3c34 |
0 |
0 |
Potential Active Directory Enumeration Using AD Module - PsModule |
Nasreddine Bencherchali (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
63b566166f9c32a94d1f702a96993c2ad48b3adb0a838fa3d24b385285245086 |
0 |
0 |
Potential Active Directory Reconnaissance/Enumeration Via LDAP |
Adeem Mawani |
Sigma Integrated Rule Set (GitHub) |
afe088ee5f69ba6fb59e2c89d995b9a77ed2636f341d9222a077422e7ccb35d8 |
0 |
0 |
Potential Adplus.EXE Abuse |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c294891087a9b38205e66bfa114d15656288be13570e767a97f524f8f565f2cd |
0 |
0 |
Potential Amazon SSM Agent Hijacking |
Muhammad Faisal |
Sigma Integrated Rule Set (GitHub) |
696180403d126a08a9b5d3d5d0cc56eeb73940198f654c54c05a89fd89af3884 |
0 |
0 |
Potential Arbitrary Code Execution Via Node.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c338961afb17f36d8f91b99822d7b9f6281cfa439131caae5ff614c28b98f7e9 |
0 |
0 |
Potential Arbitrary DLL Load Using Winword |
Victor Sergeev, oscd.community |
Sigma Integrated Rule Set (GitHub) |
f5901bba2c7e41d225bb4ceeccbffab6be2a894654be881fa62d19f6acf1aaca |
0 |
0 |
Potential Arbitrary File Download Using Office Application |
Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ea2e6d12452bb96efe983fe35dede0d7e4c30aa5e624a44ce14f6c0fbe84896f |
0 |
0 |
Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
56b5ba6ff40bf2213da0f48c868136707e52c6ca8ac602bf6013d111e87ea977 |
0 |
0 |
Potential Baby Shark Malware Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7e3c417e8dc74e72824b44e745f3abcd085e70e309ca15d279f127de94331f6e |
0 |
0 |
Potential Backup Enumeration on AWS |
Janantha Marasinghe |
Sigma Integrated Rule Set (GitHub) |
d4fe3d14eb98f8bd48ba0af6073d33644b463c53f1fb6514c2f758322d2e810a |
0 |
0 |
Potential Base64 Encoded User-Agent |
Florian Roth (Nextron Systems), Brian Ingram (update) |
Sigma Integrated Rule Set (GitHub) |
1a33a54c8b4cec7be96c448c6c1917927cc89302b66f0a3b5b72ea604e1f3368 |
0 |
0 |
Potential Binary Proxy Execution Via VSDiagnostics.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d254d605d2c54c5e5e334631be39baf8498edc0f816c748110cdf2fe84417ec4 |
0 |
0 |
Potential Bucket Enumeration on AWS |
Christopher Peacock @securepeacock, SCYTHE @scythe_io |
Sigma Integrated Rule Set (GitHub) |
ea761c1a1e4e4a5e123e51d2b942c507f041bf3990b3a406cec11158b49f40d3 |
0 |
0 |
Potential Bumblebee Remote Thread Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c8f014ee43cb3fab9f235f104d16cf3641236cd69f3975b08abac22e75458d45 |
0 |
0 |
Potential COLDSTEEL Persistence Service DLL Creation |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5d970804cc6cf2dbc8bf067e5377b8b2af332b907a116f448e949ab9ccb3bb83 |
0 |
0 |
Potential COLDSTEEL Persistence Service DLL Load |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
80193ebed321c90c26b4a26fb444721b3bf4daef02c486a64a21f4862c016058 |
0 |
0 |
Potential COLDSTEEL RAT File Indicators |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b9c2f8e9feba99e3d029c979914f75d9cf4f7523dcf4f10055d56c39c481072c |
0 |
0 |
Potential COLDSTEEL RAT Windows User Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a3a603d2f99edd43eb8adcd1b2e05195ec7fb090922736f2cd9835d81f7b6fee |
0 |
0 |
Potential COM Object Hijacking Via TreatAs Subkey - Registry |
Kutepov Anton, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3a5176242220f6a6e49fd00b2b47af50918dae9ca9edecfcfa843475d2e01df0 |
0 |
0 |
Potential COM Objects Download Cradles Usage - PS Script |
frack113 |
Sigma Integrated Rule Set (GitHub) |
139dfd44d42316af195b126ba90bfe2e69202770b83f23cedc967bd558604186 |
0 |
0 |
Potential COM Objects Download Cradles Usage - Process Creation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e5fff7aee020ea6000e66e12d6d0e617832fc128e2a242a10a39344f9fd59385 |
0 |
0 |
Potential CVE-2021-26084 Exploitation Attempt |
Sittikorn S, Nuttakorn T |
Sigma Integrated Rule Set (GitHub) |
988717863a64de8f70fbc7f771469050a6d089e9d81944d9e0566adfa36779c5 |
0 |
0 |
Potential CVE-2021-26857 Exploitation Attempt |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
6a562c9f35089d87a91ec35ae35044bfb9902969d69d04e8f50b1e9f2b14b4d0 |
0 |
0 |
Potential CVE-2021-27905 Exploitation Attempt |
@gott_cyber |
Sigma Integrated Rule Set (GitHub) |
a4b1b8220aa7c05b19e396969fd8249d20e0dca66f3c7155bbc943f224536061 |
0 |
0 |
Potential CVE-2021-4034 Exploitation Attempt |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
d0cbc247e993696fffe6ecb6dac1ea715cb8a3aef0ce4e86e754f40223259b0d |
0 |
0 |
Potential CVE-2021-40444 Exploitation Attempt |
Florian Roth (Nextron Systems), @neonprimetime |
Sigma Integrated Rule Set (GitHub) |
f438a85d4d0729d23171fa1823ccdb8541fc46f2e71ea2827ad42bc7f373a360 |
0 |
0 |
Potential CVE-2021-41379 Exploitation Attempt |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1649fcc98b56dc9cfc742a4a6df24ac3e91123ac466268300afc87e3f91191e2 |
0 |
0 |
Potential CVE-2021-42278 Exploitation Attempt |
frack113 |
Sigma Integrated Rule Set (GitHub) |
864e1d1683353be902b628feefe866931925fd28550796b04dc914f4e7ff53ea |
0 |
0 |
Potential CVE-2021-42287 Exploitation Attempt |
frack113 |
Sigma Integrated Rule Set (GitHub) |
f874aeee1f8b9f847924270cf5a2084d672f053cbab5d8cbf343085a03c3eff4 |
0 |
0 |
Potential CVE-2022-21587 Exploitation Attempt |
Isa Almannaei |
Sigma Integrated Rule Set (GitHub) |
027808bfa478c6125ac1c20b8f848bb360ff1479cfcba8ae648cc1945849bbd2 |
0 |
0 |
Potential CVE-2022-29072 Exploitation Attempt |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c09e0c560b391eaf6627874d519025cc691ab8a239ec19cee6c292940ab203e2 |
0 |
0 |
Potential CVE-2022-46169 Exploitation Attempt |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7b8792d32a2701b3cd057b81e876fde2e428b0de253197dc52e387b030882aad |
0 |
0 |
Potential CVE-2023-21554 QueueJumper Exploitation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fb836f7e352be6c866700f559f6e67fe4a83685138a8fed37016ba248bbcde63 |
0 |
0 |
Potential CVE-2023-2283 Exploitation |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
299bb32a976fbd25057405233a490d07a55b1beb29e277d8317a1c89f70b8389 |
0 |
0 |
Potential CVE-2023-23397 Exploitation Attempt - SMB |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
27dbf54b6cd4b104057b215817ae0046524b7ef4546bb0c0b54886340f7fd5a2 |
0 |
0 |
Potential CVE-2023-23752 Exploitation Attempt |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
4ad59746f3bc0c924d623069c394bd1c884c3d8184db005db2f4b8e6f4d7e9eb |
0 |
0 |
Potential CVE-2023-25157 Exploitation Attempt |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3cb099e30b8ed6aa61a7bc67f49d081698f21ab3e76e38228019635ca5bc0763 |
0 |
0 |
Potential CVE-2023-25717 Exploitation Attempt |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9449f07f044a9672fdc0d6b172f5a90ffa258799c44a8cfc4c426b72e57e84da |
0 |
0 |
Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader |
Gregory |
Sigma Integrated Rule Set (GitHub) |
7126ea48e860a4d1b50ce097fbbb86408095669f3a451bdf2b89f45b97fedd8a |
0 |
0 |
Potential CVE-2023-27997 Exploitation Indicators |
Sergio Palacios Dominguez, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
41bfc7b79197af6f328ab6c7da8d948ebf34fd55be685f542a5a6c102753ddc3 |
0 |
0 |
Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
19fa52160548b6228e020a872b494d789b1024fc40b88aec57dd7764c8cef65c |
0 |
0 |
Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
57eb42aae7f21cf9f00cad342cd2df68f35ad5b65f64356e029fc9a252bfb045 |
0 |
0 |
Potential CVE-2023-36884 Exploitation - File Downloads |
X__Junior |
Sigma Integrated Rule Set (GitHub) |
7ff82a226393a799e4fda3c2922933f7a9a5789088b007cf77c2a9b55ca845af |
0 |
0 |
Potential CVE-2023-36884 Exploitation - Share Access |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e19e915855535f1f8f3404a5d54ee1ea432a7600b670a3879f0ed11e6f8f4d78 |
0 |
0 |
Potential CVE-2023-36884 Exploitation - URL Marker |
X__Junior |
Sigma Integrated Rule Set (GitHub) |
cd8e9f183a0cf57d1103b900e9fa528e843824513a938b3a12393d9a9927ea46 |
0 |
0 |
Potential CVE-2023-36884 Exploitation Dropped File |
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0f95079db467bd6f132e6ea1066a853ff7f038366fee6916827685d147b7b4da |
0 |
0 |
Potential CVE-2023-36884 Exploitation Pattern |
X__Junior |
Sigma Integrated Rule Set (GitHub) |
bf71c7a7c948854f4b9178a1437bedb5251f01b09c4f6c1f05b51e1cab8d2671 |
0 |
0 |
Potential CVE-2023-46214 Exploitation Attempt |
Nasreddine Bencherchali (Nextron Systems), Bhavin Patel (STRT) |
Sigma Integrated Rule Set (GitHub) |
39a0e23b4d4dfab6cb4161de39bb03d86b568de0b8c63f3e670c208bba445c58 |
0 |
0 |
Potential CVE-2303-36884 URL Request Pattern Traffic |
X__Junior |
Sigma Integrated Rule Set (GitHub) |
27f364f4b7fe39b84d30bb720a7a72644be8d6ea678298b9630244cd9063a981 |
0 |
0 |
Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877 |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2488e16f373e733821b632c6a3c2368da7f600b9302963a8043ae377ed07dfb1 |
0 |
0 |
Potential CobaltStrike Process Patterns |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f6b39e4a331f85ca7590bf725ff05b84567ac82eecf2ef761c60e4baed042482 |
0 |
0 |
Potential Compromised 3CXDesktopApp Beaconing Activity - DNS |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
584b74d5fe7890202b3290099661a831bcfc55ee514078214bf4530dd50a42d0 |
0 |
0 |
Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9a8d6fcad871fab5ae0575788b3da2154aa859c62244e5bb740302ce7b9054c1 |
0 |
0 |
Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f00bd3853dcfa6a07a545526bb14e0e029f716dd6d239c7343a7c85b8c13113a |
0 |
0 |
Potential Compromised 3CXDesktopApp ICO C2 File Download |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
321ae7c2bb927b9439935fb8449149019ff5ed2a8324902434397c637d709f7e |
0 |
0 |
Potential Compromised 3CXDesktopApp Update Activity |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2261c99b1e77d29a5d447aedc127cd8ea8c6833b21065440deca37b770f7b784 |
0 |
0 |
Potential Container Discovery Via Inodes Listing |
Seth Hanford |
Sigma Integrated Rule Set (GitHub) |
cb1b07cf011267435ee38cf5d6632ef663fee3578ece289552aec8661d8bacdd |
0 |
0 |
Potential Conti Ransomware Activity |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c41fdd8a72030a4b0b96e025a1f36e7970262ad1e17a4ad2a29f643cb2033927 |
0 |
0 |
Potential Conti Ransomware Database Dumping Activity Via SQLCmd |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a8204898cf8fc5736e342a77657426a9af40b6b573152d2d6e852a3112dead6d |
0 |
0 |
Potential Cookies Session Hijacking |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6a27e2c1cd86098243cb0c0c1ef9b5074d9a2285e100c4648259cbc65f70ee02 |
0 |
0 |
Potential Credential Dumping Activity Via LSASS |
Samir Bousseaden, Michael Haag |
Sigma Integrated Rule Set (GitHub) |
63d1c446465d6c6205e2452b5fca8715042ebcc9bfa04624288ce34d07cfa028 |
0 |
0 |
Potential Credential Dumping Via LSASS Process Clone |
Florian Roth (Nextron Systems), Samir Bousseaden |
Sigma Integrated Rule Set (GitHub) |
489015366445b29d739d0c35ebba4e9278457dd045568abcf2266370379e7944 |
0 |
0 |
Potential Credential Dumping Via LSASS SilentProcessExit Technique |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
04ff5b08364c475a034622812a1a7c93e181b8b348d6dc3b1fe28b11828e7d23 |
0 |
0 |
Potential Credential Dumping Via WER |
@pbssubhash , Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
479127bceeb1e84ef9894793b27b1ae8adae99def09d48a8f448176a91dae129 |
0 |
0 |
Potential Credential Dumping Via WER - Application |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7f27aca3e2c187a0217b0001e76da87aa7acba5f60e75f6aea520d51e103a2f3 |
0 |
0 |
Potential DCOM InternetExplorer.Application DLL Hijack |
Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga |
Sigma Integrated Rule Set (GitHub) |
fe14d9fd1cf76dd06d0659c255e22519d80815f1e23e69757a8cd989049216da |
0 |
0 |
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load |
Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga |
Sigma Integrated Rule Set (GitHub) |
c93fc81f487e67f1eb297817c9b905d0ef0a2690dd920aad9520307d2a2e211c |
0 |
0 |
Potential DLL Injection Or Execution Using Tracker.exe |
Avneet Singh @v3t0_, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b829a2f1ed89d5380f218ac5f6e134b4301319062cf792789557f30f6f903d24 |
0 |
0 |
Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE |
Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
81bca906324cf27310dabd3f7ea96e340ba806166d4b698cadc0f9d196c04327 |
0 |
0 |
Potential DLL Sideloading Via DeviceEnroller.EXE |
@gott_cyber |
Sigma Integrated Rule Set (GitHub) |
19ac09f51e497a26abb334abfa3680915ee0dab6ac32186cd566da99c9a9679b |
0 |
0 |
Potential DLL Sideloading Via JsSchHlp |
frack113 |
Sigma Integrated Rule Set (GitHub) |
9c2da4d12e3887bc7e0d30c06d898e9264a784b1c67a7900108966adc03de166 |
0 |
0 |
Potential DLL Sideloading Via VMware Xfer |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
648e887ccecd76cd0db908de6276e6d379a7021e8b07c080829f668909643540 |
0 |
0 |
Potential DLL Sideloading Via comctl32.dll |
Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash) |
Sigma Integrated Rule Set (GitHub) |
43388bbb3c4d294597535039c0850a6ff2f23c214590b3ad9a1187f758c50d53 |
0 |
0 |
Potential Data Exfiltration Via Audio File |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a27c89bcbceb007b0a4687304876721a37af40db0950d4fb70e05d5cfbcd7050 |
0 |
0 |
Potential Defense Evasion Via Raw Disk Access By Uncommon Tools |
Teymur Kheirkhabarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a89a26f2bdfeb3c1f3e5ad8acf0a4a51ef45bb9859403cee7f91739b74d79dec |
0 |
0 |
Potential Devil Bait Malware Reconnaissance |
Nasreddine Bencherchali (Nextron Systems), NCSC (Idea) |
Sigma Integrated Rule Set (GitHub) |
445394791bace711515155030aef534865553bd988b2b804ef1ffb18705db796 |
0 |
0 |
Potential Devil Bait Related Indicator |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
301673a9f3cae7bcb7975bda50b7a581027e7db7f6c5ed3e24c088deb8d6c5bc |
0 |
0 |
Potential Direct Syscall of NtOpenProcess |
Christian Burkard (Nextron Systems), Tim Shelton (FP) |
Sigma Integrated Rule Set (GitHub) |
e01fcd88ad6ac5ad9762f652a28d6c714dc5ccf89b89c118bdd3bb33e5cf8abd |
0 |
0 |
Potential Discovery Activity Via Dnscmd.EXE |
@gott_cyber |
Sigma Integrated Rule Set (GitHub) |
3532c0dc3eff7b92a7fbcf895c652861c958c9da1c800e53bbac333d170e565c |
0 |
0 |
Potential EmpireMonkey Activity |
Markus Neis, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5e739870e4f0680d4f5cb3caa8012e5362e20450756aaed3d6d5c2156e412a1c |
0 |
0 |
Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp |
Aaron Stratton |
Sigma Integrated Rule Set (GitHub) |
50c60774fa108626ebfe23d57b56eec445eb8c8279be77ddeee68b957dcfb219 |
0 |
0 |
Potential Exfiltration of Compressed Files |
Greg Howell, OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
1211ca2125800a5536381bbbaa31e5785a63d393b5361c9c79a2fdc9327a21df |
0 |
0 |
Potential Exploitation Attempt Of Undocumented WindowsServer RCE |
Florian Roth (Nextron Systems), Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
14f73583aface1453a515ca93ca097876b59a07d76241effc32bf0199da3fb24 |
0 |
0 |
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process |
Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
48dbaec155cb7265fad0b676cb9f6fc6036d1b55ad2ba82a696b996da7c2bc9c |
0 |
0 |
Potential File Download Via MS-AppInstaller Protocol Handler |
Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
39f5929282111d370cc6a23bcd49a9fee247d6e037a308f4ff6d06d21158badc |
0 |
0 |
Potential Forced External Outbound DCE_RPC |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
2b3b8e854d19405e5e6c9c31054a6c326d1039ac85adacc9d7aa4959aa5f1fc0 |
0 |
0 |
Potential Forced External Outbound GSSAPI |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
19c3e23b94517f688049e3988bf887fd740097d02ec462d5b0eb20e52f2b568f |
0 |
0 |
Potential Forced External Outbound NTLM |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
aad30630b73b0f4a4236cce2c8d814e292ee13ba01bebf01326ebda63aeacc7a |
0 |
0 |
Potential Forced External Outbound SMB |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
b7eb3b4728494a3c2f99e1d09ccee9a7405011f233c531096f5ae77b9367a6c9 |
0 |
0 |
Potential Forced LLMNR Lookup |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
263ef200cd98649e7eb618ce3d0700e62dfddb6368b1167c164c8437f249eaaa |
0 |
0 |
Potential Goofy Guineapig Backdoor Activity |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f760ac944c015c43e49bc95f9bb577251fa129ba4b54a99d7224477f1a23d7ca |
0 |
0 |
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream |
Scoubi (@ScoubiMtl) |
Sigma Integrated Rule Set (GitHub) |
4ec129d4d31936095fbea41fd619d2ea1c7c39528507f4034f1f52123bd50eaa |
0 |
0 |
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI |
Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl) |
Sigma Integrated Rule Set (GitHub) |
a50b188a0c105372cc80823fb02cd04fbfea498c22d7acc2429ecb15d8d41b9e |
0 |
0 |
Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy |
Nasreddine Bencherchali (Nextron Systems), Thurein Oo |
Sigma Integrated Rule Set (GitHub) |
67d2f0a9c5f99ee88a81405bbee0076253b15e5de3ade6d2951e78bae186860a |
0 |
0 |
Potential Information Disclosure CVE-2023-43261 Exploitation - Web |
Nasreddine Bencherchali (Nextron Systems), Thurein Oo |
Sigma Integrated Rule Set (GitHub) |
e6b4000945eee0352f09a16a4f4d0f19b2b034aa18184d4825700d0ce9925693 |
0 |
0 |
Potential JNDI Injection Exploitation In JVM Based Application |
Moti Harmats |
Sigma Integrated Rule Set (GitHub) |
fad3443623ff791eb6c82707c02b2de557b50bf83c2eb68db5975f3485c48e0c |
0 |
0 |
Potential KamiKakaBot Activity - Lure Document Execution |
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3a3f5d1b80edda2f9e47a63bc78d15ed80a3457e0676c523e0dbf32e84c3a93b |
0 |
0 |
Potential KamiKakaBot Activity - Shutdown Schedule Task Creation |
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
aadd8a16cd6c42e6682cccf2d0459606a40819fbd2bb183516267a75594747f0 |
0 |
0 |
Potential KamiKakaBot Activity - Winlogon Shell Persistence |
Nasreddine Bencherchali (Nextron Systems), X__Junior |
Sigma Integrated Rule Set (GitHub) |
4de2be13cacf0f45f04322e7db39c5518651cab02f5f211c894e7cfa81c7d93a |
0 |
0 |
Potential Ke3chang/TidePool Malware Activity |
Markus Neis, Swisscom |
Sigma Integrated Rule Set (GitHub) |
189d7c7c265aa63d59bd8d89a83cf406231c66f42999d77ba7e92640c28bc2e1 |
0 |
0 |
Potential Linux Amazon SSM Agent Hijacking |
Muhammad Faisal |
Sigma Integrated Rule Set (GitHub) |
1e627e6cc483700e2e597efbb4ebfcdcb428cc3642acf037a3c9ea08b5c7312a |
0 |
0 |
Potential Linux Process Code Injection Via DD Utility |
Joseph Kamau |
Sigma Integrated Rule Set (GitHub) |
f91a6c575f623bb0698d42522a32cb4879cfa398171e599ae6046abb8cb64488 |
0 |
0 |
Potential Local File Read Vulnerability In JVM Based Application |
Moti Harmats |
Sigma Integrated Rule Set (GitHub) |
9af39f2ed3e3b18cca40b4e0a21721b0568af7d3201fe7bdf7ad2565cf623062 |
0 |
0 |
Potential MFA Bypass Using Legacy Client Authentication |
Harjot Singh, '@cyb3rjy0t' |
Sigma Integrated Rule Set (GitHub) |
f306280b14b5a548137fceb5167bfdeac16d66ff10cde77bbcc727ad1ce5f00d |
0 |
0 |
Potential MOVEit Transfer CVE-2023-34362 Exploitation |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a093d6965209485347cfe03f8dd713d48eb48d1d5c59abbe91c61bca985808b6 |
0 |
0 |
Potential MSTSC Shadowing Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
545e2b755dc7bda66c90dfd73d0da8d2692a4c7181d99d429ad2c0253be12ef7 |
0 |
0 |
Potential Malicious AppX Package Installation Attempts |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5e0919971be7571eac4b6772525429cd48975a5f04e9640d9d771d9d255fd181 |
0 |
0 |
Potential Manage-bde.wsf Abuse To Proxy Execution |
oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ed5e62dadca0230ffc2a8a11cf9e699200080030ffff4d0d2fd4df79510c64c3 |
0 |
0 |
Potential Mfdetours.DLL Sideloading |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3c249de34d9c2aab47db1131f60ea3e894e14cd30c274741b3287c3d97037e06 |
0 |
0 |
Potential MuddyWater APT Activity |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c2860e5a2a470c1dbb00003a43f3a9f04e5180cb5c7ec9e7a5bdcdfdd86a15a9 |
0 |
0 |
Potential NT API Stub Patching |
frack113 |
Sigma Integrated Rule Set (GitHub) |
198f69172026f9559d4d5812d834c3a6496fcd9e8ffd11d66ea3c850c4b5de01 |
0 |
0 |
Potential NTLM Coercion Via Certutil.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1ad1ddce816e78648dcaee02b2a6b5ef136af51a5fe61fbcca6efa389780caf2 |
0 |
0 |
Potential NetWire RAT Activity - Registry |
Christopher Peacock |
Sigma Integrated Rule Set (GitHub) |
ce5ddd582faff7ef5d678ca346465de3df879ce2fce177a243fb03283ce96f91 |
0 |
0 |
Potential Network Enumeration on AWS |
Janantha Marasinghe |
Sigma Integrated Rule Set (GitHub) |
891a14b4e2963ba9cd28a9f8db5a697df7bffc7f6707a176eb3adcd2b2ae9d2f |
0 |
0 |
Potential OGNL Injection Exploitation In JVM Based Application |
Moti Harmats |
Sigma Integrated Rule Set (GitHub) |
54f77bf73ca31ce7e390062c6434fd91e751d5789bb544efab21957046f81146 |
0 |
0 |
Potential OWASSRF Exploitation Attempt - Proxy |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8d2bb402de93dd0ae333adcd0593587b82287a88cd5ef9fd60e8943e53846dc6 |
0 |
0 |
Potential OWASSRF Exploitation Attempt - Webserver |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
40bd574279339abab6a3bb1dec8360b10fb60b88bbb53f73a563550059559953 |
0 |
0 |
Potential Okta Password in AlternateID Field |
kelnage |
Sigma Integrated Rule Set (GitHub) |
431e7c42d4ad56a7761c1286db98502540dfdd599f8023fa901f31410a21c3c3 |
0 |
0 |
Potential Operation Triangulation C2 Beaconing Activity - DNS |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0b997b816a6c19f820031350de4154dfd55e473532750c4130c31a604e446091 |
0 |
0 |
Potential Operation Triangulation C2 Beaconing Activity - Proxy |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
54e7b0e8f4fcdc02cd47d0e6a685c63c81a83fee4f2cd476bdc88792f4fb86f2 |
0 |
0 |
Potential PHP Reverse Shell |
@d4ns4n_ |
Sigma Integrated Rule Set (GitHub) |
b4e60160bef495f2c441b8e060e506efe487d230e792210187b34681a398fdf3 |
0 |
0 |
Potential POWERTRASH Script Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f8ec4f9e19d45fc4d59388aa508789417de98b1d8d6a6efd70144f2ca3bbad09 |
0 |
0 |
Potential Password Spraying Attempt Using Dsacls.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1e6e2c997f5cb3402940f88e835e1814a3c7b303d84c8d8a6bd46bd43e939912 |
0 |
0 |
Potential Peach Sandstorm APT C2 Communication Activity |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0340e9dfea071a116ca5975ff117f52ed2f37f5ad45e4c914672529cc739a87f |
0 |
0 |
Potential Perl Reverse Shell Execution |
@d4ns4n_, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2946cc15641de2b4c9f7f9ce3a02823b2a8380cb380c5ee5fabb83b5bdda3ffb |
0 |
0 |
Potential Persistence Using DebugPath |
frack113 |
Sigma Integrated Rule Set (GitHub) |
9817b3e3cfab10551b57cc2e003ae388febfa376415366efb3f4456f9129c8ac |
0 |
0 |
Potential Persistence Via AppCompat RegisterAppRestart Layer |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
72a4106901b9bcb7dba0df1eab6bfd313b4e54960221b4b1dca3df9ba5776e07 |
0 |
0 |
Potential Persistence Via CHM Helper DLL |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ebece964bd0597ba31444efa25ebbc200ba6fb9e06a00363622cb71b32d89b11 |
0 |
0 |
Potential Persistence Via Disk Cleanup Handler - Registry |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0b56c5afbbfeaf6736e587543ddfc49dd642f65cf4bac766ffbd33f10fb56004 |
0 |
0 |
Potential Persistence Via Event Viewer Events.asp |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3ca5f2d9877dd91bcb0c7608c36520f06523f20ff5d5ab01e5b1b068b0a3b518 |
0 |
0 |
Potential Persistence Via Excel Add-in - Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
610447ca663978c0dec6cf93f1f3b7bff0f850725191f04fdbbe5abd99e75aaf |
0 |
0 |
Potential Persistence Via LSA Extensions |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f60a5c96d143ed087b9c32606a65b0d2014642125555c0e2d84334642bf05315 |
0 |
0 |
Potential Persistence Via Logon Scripts - Registry |
Tom Ueltschi (@c_APT_ure) |
Sigma Integrated Rule Set (GitHub) |
eb5ac2a9453d625eabdbb6cd9f3d499dc7ab375f902ebd8f915d5a3d033693ed |
0 |
0 |
Potential Persistence Via Mpnotify |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
392341585070cc575fd0f086bd8557cbd9b42e5bf956192318c35de6fcb26080 |
0 |
0 |
Potential Persistence Via New AMSI Providers - Registry |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
336b2653b2d53acce10e967662456beb2751b3c54417a280080fb5625a3ce752 |
0 |
0 |
Potential Persistence Via Outlook Form |
Tobias Michalski (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b8ad31e84529c4f0ecaff3ccdb07e6876487faa4fe4e57f07afb4d3a104ed7c4 |
0 |
0 |
Potential Persistence Via Outlook Home Page |
Tobias Michalski (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7b23c3334a69965bcad3cbae78bfb96013d973e4eafe5031ea53c5b35acadb90 |
0 |
0 |
Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
526c6f8eef10c4c1b8603afa032ec61f611ae7d83b2988a1399fa76cb6b5536e |
0 |
0 |
Potential Persistence Via Outlook Today Pages |
Tobias Michalski (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6ae750585488b213e225f24f0cd7693782801986e4406629424e8bba973f8645 |
0 |
0 |
Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9902e1055b1d4bd34f515d277c8b7ba16203bdcd2d39dc678788043361a3df0c |
0 |
0 |
Potential PetitPotam Attack Via EFS RPC Calls |
@neu5ron, @Antonlovesdnb, Mike Remen |
Sigma Integrated Rule Set (GitHub) |
21730cbb0a1909a9d76a80acd4bde103b4ccadc42883b227a3f9568259cfbfcf |
0 |
0 |
Potential Pikabot C2 Activity |
Andreas Braathen (mnemonic.io) |
Sigma Integrated Rule Set (GitHub) |
58518324fbd0fe2bd643f5abae4d5d56ba71835666c93c743750e3a92dbc05e8 |
0 |
0 |
Potential Pikabot Discovery Activity |
Andreas Braathen (mnemonic.io) |
Sigma Integrated Rule Set (GitHub) |
5b8dc515e35a6b72b0ff0cfb65b2820de9027f0049b9626a796dd7b27406f3cd |
0 |
0 |
Potential PowerShell Execution Policy Tampering - ProcCreation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5a13756c14e8aa038afbdb4efd3d382cfa14b7e2d9754b388dd079b222a34324 |
0 |
0 |
Potential PowerShell Obfuscation Via WCHAR |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f25494bc9c5e8430fee8451d8958642f0d15778570833a0af3f2c0cc1592a4ca |
0 |
0 |
Potential PrintNightmare Exploitation Attempt |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
2905d462b4ac73a3e5bd0955b9303d3a939f9fd1715035a35ceccc567892e882 |
0 |
0 |
Potential Privilege Escalation Attempt Via .Exe.Local Technique |
Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash) |
Sigma Integrated Rule Set (GitHub) |
0e09137ae6fe2a06029ed448ff414e9710dbf3d679a9e6708b4762befd21e666 |
0 |
0 |
Potential Privilege Escalation via Service Permissions Weakness |
Teymur Kheirkhabarov |
Sigma Integrated Rule Set (GitHub) |
eb45f6868e84101d08fc7e8ad4de6ebe7a9bdf7ab558ec191c3afe9857058360 |
0 |
0 |
Potential Privileged System Service Operation - SeLoadDriverPrivilege |
xknow (@xknow_infosec), xorxes (@xor_xes) |
Sigma Integrated Rule Set (GitHub) |
bb97779ed58fef8b7d6843a16b444d10cebd87234c0aab09d85ee1151b982c8d |
0 |
0 |
Potential Process Execution Proxy Via CL_Invocation.ps1 |
Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
076e35f57ad985cac0733c6afe62d6b1e84acd633b22254d9de99c537d5d5c6f |
0 |
0 |
Potential Process Hollowing Activity |
Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
0ea4bb0eeffe1e9b554ecca4139dfa9b061c84d145a03c500e624d29f4717643 |
0 |
0 |
Potential Provisioning Registry Key Abuse For Binary Proxy Execution |
Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
bbb7657cb2e6ba9c27b2f7029d9bc8add03c6bfe18e327eff4c7cb9bae3b10b3 |
0 |
0 |
Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG |
Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
f4fe996b364fa339ae97809d2bb69b6d19b388169eb45b0b887ec41690f216a4 |
0 |
0 |
Potential Python Reverse Shell |
@d4ns4n_, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4b91dc7d635b10b9746e99a41fb0f36245f183f38dbfcfc94fb4e8bdd06e6933 |
0 |
0 |
Potential RCE Exploitation Attempt In NodeJS |
Moti Harmats |
Sigma Integrated Rule Set (GitHub) |
cbf44b87562b0786c6fa5b8dde93a92c9ed705aa46e05cdd7168ee68172b9833 |
0 |
0 |
Potential RDP Exploit CVE-2019-0708 |
Lionel PRAT, Christophe BROCAS, @atc_project (improvements) |
Sigma Integrated Rule Set (GitHub) |
8b02859a07f68105c212ab8620bad0936e88ff1273a8ea016f9c1c6c6789a39e |
0 |
0 |
Potential RDP Tunneling Via SSH |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
12074ed2612acda59c311b37dede60edf5bcac6c5e57379e8a2668ed4c92b296 |
0 |
0 |
Potential Registry Persistence Attempt Via Windows Telemetry |
Lednyov Alexey, oscd.community, Sreeman |
Sigma Integrated Rule Set (GitHub) |
ca3672e906735c6f2aa0f7aa73bd9796d29cd4f03ef8541b6bb17a0518502b51 |
0 |
0 |
Potential Remote Command Execution In Pod Container |
Leo Tsaousis (@laripping) |
Sigma Integrated Rule Set (GitHub) |
e79787b46b82a4ca8d76fa83e9d06a4ba6ccab7736936a057da4582db70c6c1c |
0 |
0 |
Potential Remote Credential Dumping Activity |
SecurityAura |
Sigma Integrated Rule Set (GitHub) |
f91881b7a52aa28d428a4b4ae3eb24c640f3624869a78c2bb9489aba67bc4bb6 |
0 |
0 |
Potential Remote Desktop Connection to Non-Domain Host |
James Pemberton |
Sigma Integrated Rule Set (GitHub) |
4c5c4668e312589fc1aa4db734482c2b724cda2ae380d3de9dfdac43ccd99fc4 |
0 |
0 |
Potential RemoteFXvGPUDisablement.EXE Abuse |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cb8936fcf36d16982575da13504782d400992adaac08cd26ba7845c4a4279dee |
0 |
0 |
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module |
Nasreddine Bencherchali (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
c16e468ec3aab5a450c958946bf9ad962dd0a0b337178f1bdc125ca014779760 |
0 |
0 |
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
759253ba1bb36b861502eaa6dba06ea6212695bd498716a895e2d4d9560f45ef |
0 |
0 |
Potential RipZip Attack on Startup Folder |
Greg (rule) |
Sigma Integrated Rule Set (GitHub) |
fe224efff15c7f2738f0f64af49096cdca3e8c25601a4cc4b502682f304e7e9e |
0 |
0 |
Potential RjvPlatform.DLL Sideloading From Default Location |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
527010f6a392f9bc92be562bcff1445fc8ba9de16d102a4dd3af06327098e82c |
0 |
0 |
Potential RjvPlatform.DLL Sideloading From Non-Default Location |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
26ab63625d91d3e9562a4590b58637d67932adff68842c2c5bc522c3c9889944 |
0 |
0 |
Potential Ruby Reverse Shell |
@d4ns4n_ |
Sigma Integrated Rule Set (GitHub) |
e9154055e10f8e4dd72770d995295fca743f75ee40d95f3598ba2655ea07b35f |
0 |
0 |
Potential Russian APT Credential Theft Activity |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d891d43fe1fffa5c84fc567a5eaff4bcf0c35cfcfdaeda3284ed6d5becfcfe90 |
0 |
0 |
Potential SNAKE Malware Installation Binary Indicator |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d2f884d8ae19466556fe0f2f92fccaea02d021c8e31aee243e0c32b908d8dfd3 |
0 |
0 |
Potential SNAKE Malware Persistence Service Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
712497f02f6eb4aee90f17724caba93698f07236a4fab237fe58ef201e654f14 |
0 |
0 |
Potential SPN Enumeration Via Setspn.EXE |
Markus Neis, keepwatch |
Sigma Integrated Rule Set (GitHub) |
5185237d06d1d2c6fa9f5b9940219760620e7dd4f1db2fbff05f0b081ce4967e |
0 |
0 |
Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 |
Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113 |
Sigma Integrated Rule Set (GitHub) |
d4793fdc170cfc0019f263c5dbc49df48f39d366293c6a9ae195061e90baf017 |
0 |
0 |
Potential SentinelOne Shell Context Menu Scan Command Tampering |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8d3e27dbca97f54305f24f4b37c83d7f89b93c26b19ac0f90e75e8558e3d021b |
0 |
0 |
Potential Server Side Template Injection In Velocity |
Moti Harmats |
Sigma Integrated Rule Set (GitHub) |
122a24bfd7e46b09906fbb6d6d221bb9f36d50f453ef1fb73dfa4f942979c6c2 |
0 |
0 |
Potential ShellDispatch.DLL Functionality Abuse |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e9ce0d9e0400d7af3add7ee879ecade11b110391df9c6ab37d87096e63275ecb |
0 |
0 |
Potential ShellDispatch.DLL Sideloading |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8d4f4b259e5a0b8f91e32ddcccbd06e7718f63585c6eaec02373107971a7873f |
0 |
0 |
Potential Shellcode Injection |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
78e9f82c41bd7abb0fa5ed70e1985671ecce98ccc467e595abcf6ba4071f3817 |
0 |
0 |
Potential Sidecar Injection Into Running Deployment |
Leo Tsaousis (@laripping) |
Sigma Integrated Rule Set (GitHub) |
03eaa2de8b9af345cff6ae3d00bc9b402cdfd3046c2c89b668705f4e281b6496 |
0 |
0 |
Potential SolidPDFCreator.DLL Sideloading |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
310b795db8446f3c63d837483dd65a97d2aa3d68cad9b23c5a85a110efb5ca73 |
0 |
0 |
Potential SpEL Injection In Spring Framework |
Moti Harmats |
Sigma Integrated Rule Set (GitHub) |
db008d3f2913789cf0217b44cecfa8272b47cd78ef0fe59e7acbff0da4e8b597 |
0 |
0 |
Potential Storage Enumeration on AWS |
Janantha Marasinghe |
Sigma Integrated Rule Set (GitHub) |
78674217f9ca84766ae74ee3b4bbe39f72d4a01ab2079a9909e951e0d7a52531 |
0 |
0 |
Potential Suspicious BPF Activity - Linux |
Red Canary (idea), Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
d2482e52c41f8e7ca8a8e8ebd482d5e16b5454903c5227091350394fede522a2 |
0 |
0 |
Potential Suspicious Child Process Of 3CXDesktopApp |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1a01b47f4dc1278271f0262c854cfcbcff9169c1f532c688a39c60427eb9897e |
0 |
0 |
Potential Suspicious PowerShell Module File Created |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fcb2d414e444fdd8367c51cb9741ea65824d63131833c2851f5bc6b5dd3dda1c |
0 |
0 |
Potential Suspicious Winget Package Installation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
73cfbc2b95d24b1c60e83c5551680db699298bb44a46eb64b1bb3d2d1b81085c |
0 |
0 |
Potential SysInternals ProcDump Evasion |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4c04c35bb6dbf1db959d95305aa16cbcc55b7bd2298b02e7631319a06d67f192 |
0 |
0 |
Potential SystemNightmare Exploitation Attempt |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c8b63d7e7a86cd816ca0855c66d0465f223a68621bc59cdb85639e382e022118 |
0 |
0 |
Potential Ursnif Malware Activity - Registry |
megan201296 |
Sigma Integrated Rule Set (GitHub) |
4e3571c62f910de9f4ea1bd62ee26b408ad26db209250c61eb74239ce71fc827 |
0 |
0 |
Potential Winnti Dropper Activity |
Alexander Rausch |
Sigma Integrated Rule Set (GitHub) |
d6c33aea206d318b0bebc06af8753c1497ad0abc154f4b62be36cc3893897876 |
0 |
0 |
Potential XCSSET Malware Infection |
Tim Rauch (rule), Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
069e8a740adc1baf8b590a6cb54d6b4414a9db3e8f17c48f1c099dcd52539b4d |
0 |
0 |
Potential XXE Exploitation Attempt In JVM Based Application |
Moti Harmats |
Sigma Integrated Rule Set (GitHub) |
99a0308cfc5b0853c651c4a7c403e5b998b8d8f6b759f40638639611db7a336d |
0 |
0 |
Potential Xterm Reverse Shell |
@d4ns4n_ |
Sigma Integrated Rule Set (GitHub) |
616f2a179167156381d864c1f0118b389c44953dbf66c3be6231d4f9758b27f2 |
0 |
0 |
Potentially Harmful Attachment |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
5f9b3f2dc239f570301cb831ea6671acf4414fbb82a5dc4df877925dbc1176c8 |
0 |
0 |
Potentially Over Permissive Permissions Granted Using Dsacls.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7ec99afd2c64f5d0f371316a37c71cac508492800b7897c3fdddcf4b2d6a25fe |
0 |
0 |
Potentially Suspicious AccessMask Requested From LSASS |
Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) |
Sigma Integrated Rule Set (GitHub) |
021958a970490c9f053ccc5d257c9c5f17746ceb0270b213e185a4c9354e912c |
0 |
0 |
Potentially Suspicious Call To Win32_NTEventlogFile Class |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
65df4fd101a63caf2dd5aa69d06d267db56e0eda1f1e0f6e575182bf95d31466 |
0 |
0 |
Potentially Suspicious Child Process Of DiskShadow.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fe951123e5b287b74b47be87582e8aeb31175e28fd03c5b6152c4331729109e5 |
0 |
0 |
Potentially Suspicious Command Targeting Teams Sensitive Files |
@SerkinValery |
Sigma Integrated Rule Set (GitHub) |
e407c4a5680764011db5e78bc7a86f3cb2195d4ea24c642bd28c04a04c2144fe |
0 |
0 |
Potentially Suspicious GrantedAccess Flags On LSASS |
Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
ed9636ccdbf53d675f6ffecccee23b849237a42f01ec09ad9ebf4ac4ed4a3afb |
0 |
0 |
Potentially Suspicious Office Document Executed From Trusted Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
060b2eb17a53682999ff3ccaec21d9099a3bc8b7930156ecfb264f85e9ebb895 |
0 |
0 |
Potentially Suspicious Self Extraction Directive File Created |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
9542d319b698f342b537a6e0f25abd10a20a18e2559e3bab788fd26c354d88b5 |
0 |
0 |
PowerShell Base64 Encoded Shellcode |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dbe1887e879ebc1177cca950ec8a82a43b96e7015767750a0118dc61344ccdad |
0 |
0 |
PowerShell Decompress Commands |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
40fcac117060a3b800bb902b404dce3cc30abc9822159a68c7414603e70e131c |
0 |
0 |
PowerShell Decompress Commands |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
46f9d269c8a2f1c1c268482b8f189bfcb71e5f354e01cbc485f42aaa02be9a64 |
0 |
0 |
PowerShell Execution |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
77eafc1cb5e5d7dea37874133cea2270c0c4189a07aa4cf039207c99c17281fb |
0 |
0 |
PowerShell Execution (Potential event manifest tampering) |
SecurityJosh, Roman Ranskyi |
SOC Prime Threat Detection Marketplace |
f2ffe839a68caf5469d7f0c6bba1649431891460f9c08271507f594cb5080470 |
0 |
0 |
PowerShell Get Clipboard |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
8a27ef77773c5b6e0ce2da04cdccf4f14f01015bd4dfadcb9f07ab0905d766a0 |
0 |
0 |
PowerShell Get-Process LSASS |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8fecdfab629105e4822e49c9dae2daf531f93b9b9f4a90cb0ba780ea4a09adac |
0 |
0 |
PowerShell Obfuscation using SecureString |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
a885d4a4024ecfaa6ba2d4e707d9c8f3f22ff62b6990332557b511f2f8dd3198 |
0 |
0 |
PowerShell PSAttack |
Sean Metcalf (source), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
229ea6fc4268ad28126e92f6f1ebd4679c50f3be77030a58b60af12fa0ef8eb3 |
0 |
0 |
PowerShell SAM Copy |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f82541606097e898ede6da39077c7fe527c1fcd403d041ebe375f28d5f4339fc |
0 |
0 |
PowerShell Scripts Installed as Services |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
1364ad75b0dc2267d0c0662c954f3be5c9215494cf31c1e20fe403ea6c3e83c3 |
0 |
0 |
PowerShell Scripts Installed as Services |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
445aaa2d9f84a2f2f097156daf5b3f2cf8034d25addcd37e1889105ca6dad11b |
0 |
0 |
PowerShell Scripts Installed as Services |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
467dfca5cc97071e4d713c6a6403209934b96ad6317643eef8e56b83b8134f8e |
0 |
0 |
PowerShell Scripts Installed as Services |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
6f49f2ed2359b28b3bbcce4b12451150c3c512387446684ad0f02ffa5ca11b5b |
0 |
0 |
PowerShell Scripts Installed as Services |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
8ccccb7310714bae7f496aec46cc573dd0bc8f2794b820a3070864fbdb99fdbb |
0 |
0 |
PowerShell Scripts Installed as Services |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
f1c32a70362f7ed2aa5c0293edb9c51408a0bdb4a1d93b8f101b2d7c38590993 |
0 |
0 |
PowerShell Scripts Installed as Services - Security |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
2cc62e06802026a69ee67d8dbae18471e27c0c724a1733602613735fb6fd72e5 |
0 |
0 |
PowerShell Scripts Run by a Services |
oscd.community, Natalia Shornikova |
Sigma Integrated Rule Set (GitHub) |
014598477a00db3dbeee84e541504e310712bfb7380fe0f6c18921580f829d4e |
0 |
0 |
Powershell IEX Download In Base64 |
Joe Security |
Joe Security Rule Set (GitHub) |
47700446a254048704b602b4820482299b526c610cd8cfa3a164f19784195ba9 |
0 |
0 |
Powershell Launched By Winword |
Joe Security |
Joe Security Rule Set (GitHub) |
ed5457ba384a36ef60723b4fa6a186fb0048d8947aa3ad64ee30284ed1b8b658 |
0 |
0 |
Powershell download file and shellexecute |
Joe Security |
Joe Security Rule Set (GitHub) |
f5d1804b36d00e52057d36ac92f04d0f6434083c9a000d916380a1c01f1c01c2 |
0 |
0 |
Powershell load assembly from internet |
Joe Security |
Joe Security Rule Set (GitHub) |
e4b3ed1b620f60e713a7faf984b8fa2b870914dfe494ac56f99bffbb5133e11f |
0 |
0 |
Powershell load assembly from registry |
Joe Security |
Joe Security Rule Set (GitHub) |
5388b2590b9ed2f4d530c9eac824a7ddde5512e4224c1a64b5a6da98fee0fbeb |
0 |
0 |
Powershell sleep and launch executable |
Joe Security |
Joe Security Rule Set (GitHub) |
1f9a2d4cfcbbab989273e05d81a5ab3ca1e580cddc3b839707dc19d6731f93a9 |
0 |
0 |
Powerview Add-DomainObjectAcl DCSync AD Extend Right |
Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Shelton, Maxence Fossat |
Sigma Integrated Rule Set (GitHub) |
d52fe14049b24733e329f274322c156982d55e21e66e25758d8e7bc91aa8c4fe |
0 |
0 |
Predator The Thief (command-line detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
1f8699a3474b828805b77c6ed86f5b86087391365eed233992d6ac3d289bc822 |
0 |
0 |
Predator The Thief (command-line detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
5422d5ef2c42f4981afdae1e5ad6c5159df8099190c17da497f76919f0cfbcfc |
0 |
0 |
Primary Refresh Token Access Attempt |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
507efff36f4d1d9578bbca3e86a88ba66d63fbf8351024fcc49c8163a50d904f |
0 |
0 |
PrintNightmare Powershell Exploitation |
Max Altgelt, Tobias Michalski |
Sigma Integrated Rule Set (GitHub) |
9994b75f6dfdb006404fdee33726452e641b8b07bbd4b6c79f61249f3ef3c1d3 |
0 |
0 |
Printer Service Modification |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
16ca1eb37f09dfe266d2553018aa5c7f236b3fe27572ab1215a0f4fa1302f765 |
0 |
0 |
PrinterNightmare Mimikatz Driver Name |
Markus Neis, @markus_neis, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
093a9d8f83c2689c873979bf87e2d4d8082037d9d782bf32ca870205e3992ffc |
0 |
0 |
Privilege Escalation Preparation |
Patrick Bareiss |
Sigma Integrated Rule Set (GitHub) |
9a8a7c1b00c147f05b82612499df919b5a2fd429c3bb0c64866b947ab39671e8 |
0 |
0 |
Privileged Account Creation |
Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
e861a14f2c52a51bd98832bb13bd1ed6707da37c1e16677ca79b9c7eabf23459 |
0 |
0 |
Privileged Container Deployed |
Leo Tsaousis (@laripping) |
Sigma Integrated Rule Set (GitHub) |
37617159af5873c5fc3955e5961f3215a6fc68872c73ca903d1491d48808423c |
0 |
0 |
Privileged User Has Been Created |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
f557dad53a5d5cb35f9e758c0849c8fa86a6d79823278d1cf2dc1c20383d1139 |
0 |
0 |
ProLock Ransomware Behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
2b9a1b8b36ad0dcdf24999b97bc2c86059ce3203d996f676ee280fa946653458 |
0 |
0 |
ProLock Ransomware Behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
7a7f19c4b3dd631c48ffccc302c2a36f81088073798fbc563b9c645f20f5fb19 |
0 |
0 |
Process Discovery |
Ömer Günal, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0085bf33f8f7fe01581d6bf7c6463a6396d9843436e5c10f0da6186171d0b9c8 |
0 |
0 |
Process Dump via Comsvcs DLL |
Modexp (idea) |
Sigma Integrated Rule Set (GitHub) |
fc647ef855e070dd8c71ac9bee02eb59a9124eded234012d31fef82c72b8c1b0 |
0 |
0 |
Process Execution Error In JVM Based Application |
Moti Harmats |
Sigma Integrated Rule Set (GitHub) |
dfb2e4a4a0450400e94d502497a2fc43e3d603704d680cac03f5c15c392418a1 |
0 |
0 |
Process Memory Dump Via Dotnet-Dump |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f8d54c64dfd2f8b6616c664df28444b2fd67f01d8bbd65a847865fcb86e7c723 |
0 |
0 |
Process Memory Dump via RdrLeakDiag.EXE |
Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5cdfd68738b7b527a6fe7958d3484f9854aad921a6148f39e7a6851417647792 |
0 |
0 |
Process Memory Dumped Via RdrLeakDiag.EXE |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2d7bbe44a845a98779776b889cc1c74c4e424725151f7aae9eb73be3b70f4dac |
0 |
0 |
ProcessHacker Privilege Elevation |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2149649a6e304c127fc371a6342964619569b0ba1bcd812d2381173324736db4 |
0 |
0 |
Processes Accessing the Microphone and Webcam |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
b956cdd9fcde5ccf08a7776e2989b0bfad944b79dd75e20c11d38bb24dbfbfc6 |
0 |
0 |
Processes accessing the camera and microphone from suspicious folder |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
7b3cfa10cc9723d7c4fa50a1b3b77c1b9689fe594822023e09771ed6cbdce53f |
0 |
0 |
Program Executions in Suspicious Folders |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
22c7d8bc06e4a35a3045524848896a9e21533b194fcdbca7ed641a2a8fa7a4de |
0 |
0 |
Protected Storage Service Access |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
67aa4f89c2b8f751b7be7a7123233e4baca5464a20c273bfce1d81fcd1589781 |
0 |
0 |
Proxy Execution Via Wuauclt.EXE |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team |
Sigma Integrated Rule Set (GitHub) |
d8bd87c5bebb059ab6031d2484dd86fc3c0f14c4dcadd27895205b1267ab7658 |
0 |
0 |
ProxyLogon MSExchange OabVirtualDirectory |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0c6a87dbb998eae574f7a8317bcb860cd4acabdaef209f25c80bc5fb2e54d5af |
0 |
0 |
ProxyLogon Reset Virtual Directories Based On IIS Log |
frack113 |
Sigma Integrated Rule Set (GitHub) |
bd2871cff93ff62a864fd7b4e13617d202605e22089c562c84540f8a8d25392b |
0 |
0 |
Ps.exe Renamed SysInternals Tool |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
508460a99a052814512ff212e0f6f3bb5e1d3de21c79ff3e24f6d05463448b1d |
0 |
0 |
PsExec Pipes Artifacts |
Nikita Nazarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
d5a93fd832fa665cec13e7681c2db65b6feb3c719a2ea43cf408a884503fa0b3 |
0 |
0 |
PsExec Service Installation |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
a140e6a4ca5fb32569012656b50cf8d077ed195688bccda1b6cd6a7bcc32aea0 |
0 |
0 |
PsExec Service Start |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
7e4741cdaf6a396a8d975ad542687436b6beda2f0282db17805ebf9b52098289 |
0 |
0 |
PsExec Tool Execution |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
0846916c3d5af2a322cf42210119c1d28945f9733c842830a4caf16597462ac0 |
0 |
0 |
PsExec Tool Execution |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
1518bae3460d45d1166480cfdbf8f19603549ebe5930c037d7001c15d30c322b |
0 |
0 |
PsExec Tool Execution |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
4b9b15bf02c7c8b9fd6f4a020a6318957101b14776b4e6ab6375abc57ce2d101 |
0 |
0 |
PsExec Tool Execution |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
7f0d5bf894afae6dab8a011197896b06675a9c3089b1b1ffffc6efca6e2eae29 |
0 |
0 |
PsExec Tool Execution |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
8cab50a6d456060d4de01cc18fbe85b349cefb689386336cc8fe05f8854c9f31 |
0 |
0 |
PsExec Tool Execution |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
97af35b4172a9333d69b01cdb4d6c6f7b49b0f0d665b4bd4c66b4a3bb793547e |
0 |
0 |
PsExec Tool Execution |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
b677aa8615b26b7047d758b5e937e92d67219dafb0f4168698b819a2fd7dd925 |
0 |
0 |
PsExec Tool Execution |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
cbdad3dc58dae0d5b7ccf82a897b981e992a31f8f2a45d86fb8554c1c5bafdb4 |
0 |
0 |
PsExec Tool Execution From Suspicious Locations - PipeName |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
849c3c78b941ab4dab9f45aaf26d961a2e8030d6ad5edcce51fb665a1ca0c64f |
0 |
0 |
Publicly Accessible RDP Service |
Josh Brower @DefensiveDepth |
Sigma Integrated Rule Set (GitHub) |
84b66d47b8f699ef0111cfc0d68cdc2be9451bc55091156ee5cbb23cce133b76 |
0 |
0 |
Pulse Connect Secure RCE Attack CVE-2021-22893 |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
ab8e48d7ca9cf33f92ac8c77e2ba4f029ae209d2bc21b576b7d3870ff51a9215 |
0 |
0 |
Pulse Secure Attack CVE-2019-11510 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a4eac94c575b5162661af9888cf6bf6e1c6b2765b9129be15a313f4f596de87b |
0 |
0 |
PwnDrp Access |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3c12c79f550c4f0f3128094db8b532ddb7997afc5d22889d546ed3c68317e67c |
0 |
0 |
PwnKit Local Privilege Escalation |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
063047aaaa5a444ae30399fbd344970fa1ba8de23905f8fd009f6a04624e794d |
0 |
0 |
Python SQL Exceptions |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
c355e46fd180c68033fae6aa264ce176fc46107a47b4ad0a22812ae40f1fd65b |
0 |
0 |
Python Spawning Pretty TTY |
Nextron Systems |
Sigma Integrated Rule Set (GitHub) |
9d935ffebc9ea6afd4785a686eab56350dab3324b761c57a75fd429ccefd7a3a |
0 |
0 |
Pyvil RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
1946000b4b23e17072b4e16f69f6d214b8cd744492cfc3d809c91c0250a9329a |
0 |
0 |
Qakbot Uninstaller Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7885bffc96d4acd43e379541a35e00f1ea7757d9e2b46ca5b45ef5d6458adf64 |
0 |
0 |
Qealler Detection Rule |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
2d552bed0d3218f870cdd17abb035a0f71ec2c158035fe612e2476aec61930f4 |
0 |
0 |
Qealler Detection Rule |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c272bf0614a45f345c008e393b47040de6ef75f4a3e3494853f36aa9768f0736 |
0 |
0 |
Query Tor Onion Address - DNS Client |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
76cc73e374696ea0a366a34cf357d06863e53886014404e8257d8a1b95893623 |
0 |
0 |
Query Usage To Exfil Data |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
96f2931025ffc4a127c2844a00a39d318b1070e8b6327244cff3371de2ffea71 |
0 |
0 |
Quick Execution of a Series of Suspicious Commands |
juju4 |
Sigma Integrated Rule Set (GitHub) |
ed973bd3154186b4b9179b400d5cad9f28291698fa066588f22e9cc1fb5f8ed9 |
0 |
0 |
Qulab Trojan (Covid-19 abuse) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
15e1323de6b754fd8ed09a65a9756cee2a8cab604d50013ef15dfb651b0154ef |
0 |
0 |
Qulab Trojan (Covid-19 abuse) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
36a825331394fd916bee36fdbd94d6fc383f14774529b3c9facc40eb7f1ad066 |
0 |
0 |
Qulab Trojan (Covid-19 abuse) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
82a3dfab9619a2d77e3d28664ef300769a61d65c3e3b1739dda336dc4af6cee0 |
0 |
0 |
Qulab Trojan (Covid-19 abuse) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
88c142bc27fcc02afe262a8b8b280ab0acb99f4224c53fcbcaa33db318bc8824 |
0 |
0 |
Qulab Trojan (Covid-19 abuse) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d2fd35d9e091008717a1ddb2ba521ecdd25ba3b5491c719179b54b0b099349cb |
0 |
0 |
RATicate Group behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d107f1b47b43fc725572a5dc8b69c66ee12cc6062ee0a67c4a35ac7cb778d95b |
0 |
0 |
RBAC Permission Enumeration Attempt |
Leo Tsaousis (@laripping) |
Sigma Integrated Rule Set (GitHub) |
af423b03abecfef860464c8af46fae7cc2987651d251f27cbd41c77ec2ecfd09 |
0 |
0 |
RClone Execution |
Bhabesh Raj, Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
5c18d54d0d1977fcaa16d7b119948395edb249365b6c767ea18e95c6b44204a5 |
0 |
0 |
RDP Dashboard (Overview Query) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
71a226733f7f12aa303328c542409ef9b1016c750c4a8f78c86a615e3da3cf6a |
0 |
0 |
RDP File Creation From Suspicious Application |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3f973e695640f51f0a956113bb198bf96115be3d8efc02dfd38f6e5d088658d1 |
0 |
0 |
RDP Hijacking. Last logged-on user changed. |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
5af33fb9edf5af983870138dd17270a22ec3c4046fa58eb0a27c209c5951b03c |
0 |
0 |
RDP Hijacking. Terminal Services Manipulation. |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
3d69986e07af4e5398ea63ef3256bdbbd6215aa1823e591de5088f16896f0c5d |
0 |
0 |
RDP Over Reverse SSH Tunnel |
Samir Bousseaden |
Sigma Integrated Rule Set (GitHub) |
0fc2c398ce1141e654d51055a3df9803bd5e0031fec24100cf28a042b9b9df0a |
0 |
0 |
RDP Possible Non User Login, Abnormal Screen Resolution |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
ff0ab5b6cd3ebd7aeade8aa8b55790d7096ac7ba96d54a8ed6587d0c5f25da39 |
0 |
0 |
RDP Registry Modification |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
7aaf54115e7c0d8450b858520101c04264b58e033da253ad20a672a00b52b5ae |
0 |
0 |
RDP Sensitive Settings Changed |
Samir Bousseaden |
Sigma Integrated Rule Set (GitHub) |
c1a07dc6104bfa9dcd638f1c9f04504dafbbb28fdf3a4f36dc6af48802194787 |
0 |
0 |
RDP over Reverse SSH Tunnel WFP |
Samir Bousseaden |
Sigma Integrated Rule Set (GitHub) |
9ac83d94dd47e5c8ac03b8678d0569ce163716d072aa690ee44b67d5ae12510a |
0 |
0 |
RDP to HTTP or HTTPS Target Ports |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2b8403bd1b6574c14ce1493e5f5de4e00d30c999ff9cee5b9999cfd3af6754e5 |
0 |
0 |
REvil Kaseya Incident Malware Patterns |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fc2108a980d79a05e920b28c15d995fa0652a1dda317ce1fa22da44d694541d3 |
0 |
0 |
RMSRemoteAdmin |
Joe Security |
Joe Security Rule Set (GitHub) |
abb330cf6694939eee00022cc1eadd65b14603c20a76a3c590d95ef23c61b22e |
0 |
0 |
RTCore Suspicious Service Installation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
403b0a2a2b9dd42ad41302ae9b660d4d26e2c3656250fc4443de7a6064387c74 |
0 |
0 |
Racoon malware detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c5bc56057878575689e1e8062054f20ea3f118c0e52f17403445a2bb339ea3f9 |
0 |
0 |
Racoon malware detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
ef297eac8d295b521dbb1e207df57db1a1e62453c926eed3fd6bfc9460b6f6ed |
0 |
0 |
Racoon malware detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
fece10118d7e85693008b838c2f78dbaea6c1f125c622c3dbede3df3d3e401e0 |
0 |
0 |
Ransom X Behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
016eb94fa1071faeb02a09e52d8d7e64b3702d3e8cdbb12683eb99da9b3b4889 |
0 |
0 |
Rare Scheduled Task Creations |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
95b4be8473d9667e7c486d85a5a38d5d2a0fe7d4716c86448e7f15cbbd167c80 |
0 |
0 |
Rare Schtasks Creations |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
52bcf8d53a2e9861ebf212d6fb5c8c8000ff4ad6aef25806a201b8115c7c5852 |
0 |
0 |
Rare Service Installs |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
b4520bca6240f5cea8758ebfe31a5de0d007fb4ee971d1504eb4afaf9aaaf107 |
0 |
0 |
Rare Subscription-level Operations In Azure |
sawwinnnaung |
Sigma Integrated Rule Set (GitHub) |
73526ac545356edf8d7771865258ba2671d34ed6c9c1e4e89dda4f64833fc5ca |
0 |
0 |
Rasautou.exe execution. |
Den iuzvyk |
SOC Prime Threat Detection Marketplace |
a34ca7a1c15bec9b90de6c46395088c6d253b54b770a60de680af7cd9943c085 |
0 |
0 |
Raw Paste Service Access |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
df29e480a1da07c9864f41b5f7bf34765c1d2ea9af15046dd3aec14367536f8f |
0 |
0 |
Rclone Activity via Proxy |
Janantha Marasinghe |
Sigma Integrated Rule Set (GitHub) |
2e214e304ac2df75080e9a16298177ab81a6aca44143bab0ee894a4118e0e324 |
0 |
0 |
Rclone Execution via Command Line or PowerShell |
Aaron Greetham (@beardofbinary) - NCC Group |
Sigma Integrated Rule Set (GitHub) |
1f67c2169d6cb6e70c9bac22b944ff64fa959097dba5e8b963852d6c58fc8e1a |
0 |
0 |
Read and Execute a File Via Cmd.exe |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b711425de1432e74de57cdd7e431ffa5538e3e182e4d3a240d3b43307e91b436 |
0 |
0 |
Recon Activity via SASec |
Sagie Dulce, Dekel Paz |
Sigma Integrated Rule Set (GitHub) |
91406863070d5d2bd89753daf362eb0a0bfc365a80daebaf4d62a52a017628d9 |
0 |
0 |
Reconnaissance Activity |
Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community |
Sigma Integrated Rule Set (GitHub) |
e4f2c05322c3be28c50da39003b02312523eac5e2b83bf820349a063d6e18167 |
0 |
0 |
Reconnaissance Activity with Net Command |
Florian Roth, Markus Neis |
Sigma Integrated Rule Set (GitHub) |
a6adbabf733244eb498c551ed9ba1387ba2997a06332e517c89b955160edea9a |
0 |
0 |
RedLine Stealer (COVID-19 Campaign) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
1d84ec4dfb91d5af2a7692cc37b5fe558279fe33b3b6ae373987f71ba7df5e8b |
0 |
0 |
RedLine Stealer (COVID-19 Campaign) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
4f3bb7ac672f51adf9d944139cabbb66f52ef10a9abcfea24b65ba3c1cfc1252 |
0 |
0 |
RedMimicry Winnti Playbook Inject |
Alexander Rausch |
Sigma Integrated Rule Set (GitHub) |
13e4345b125509a08fb73bfaf0cf1f2320148020c7e45ab1cf8b47ef011db176 |
0 |
0 |
RedMimicry Winnti Playbook Registry Manipulation |
Alexander Rausch |
Sigma Integrated Rule Set (GitHub) |
86b53f7f939e5987f63a77e6b31ad7f58f28592bead63b31894216d116ecd120 |
0 |
0 |
Redaman RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
1544d96bd9a34be41d2e2c976346e9c6ced04c82b6490ad0606f48640531400a |
0 |
0 |
Redaman RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
ef28bd95f54d82f5f8245ca837359781d3cfb48f7f3e7401ef6bbebff3dbea8e |
0 |
0 |
Redaman RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
f43a2b6a6d965289e8bde09c684b476bca7c77b88f1f4ed4f95a687d394b94ac |
0 |
0 |
ReflectiveLoader |
Joe Security |
Joe Security Rule Set (GitHub) |
f972e2d6ad7812da19ebfc6d0e73c5dba52f470a48646159facd3ffa24e4d8df |
0 |
0 |
Register dll at autostart location via regsvr32 |
Joe Security |
Joe Security Rule Set (GitHub) |
6e3d105ee67957d16975a4ff8dcbbb38b9c8dd21ccd2dc07e9c194a6c153ba98 |
0 |
0 |
Register new Logon Process by Rubeus |
Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community |
Sigma Integrated Rule Set (GitHub) |
f7cacbd7c0676adf78318bb6d9de688bc97c4aa69d5afa2f1d55866ce06b3867 |
0 |
0 |
Registry Entries For Azorult Malware |
Trent Liffick |
Sigma Integrated Rule Set (GitHub) |
4ad66d0e46670f58101e391ac2d114fc7e3b06243c7b81888faf05840934d168 |
0 |
0 |
Regsvr32 Network Activity |
Dmitriy Lifanov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
bcbb15efbb568b9a302a100e8cea3e019b9b8d04fbcd5d17a4439b424fe30e59 |
0 |
0 |
Rejetto HTTP File Server RCE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9d25e8f3b7a408cce3020ec891aa2c9d254d0bb95c93a745e52ec2873b33d7a4 |
0 |
0 |
Relevant ClamAV Message |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5105b3bed3732f01c5689b867054b8ff7c5645b8ef18842d89506409437037e9 |
0 |
0 |
RemCom Service Installation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
94ff4e1c11f1bf5be4a8869812feb2932fabd4cc5e49880fbd6fe0f69deb3133 |
0 |
0 |
Remote Access Tool - ScreenConnect Backstage Mode Anomaly 2 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
34f0db47e8b5676494bd567d6dcefc056f586f53e54cae216f839a0edbda0022 |
0 |
0 |
Remote Access Tool - ScreenConnect Command Execution |
Ali Alwashali |
Sigma Integrated Rule Set (GitHub) |
119f6fc00b16937e65f95d63f6b9b37cb054fcad68f3774c227967ef50e4e246 |
0 |
0 |
Remote Access Tool - ScreenConnect File Transfer |
Ali Alwashali |
Sigma Integrated Rule Set (GitHub) |
ad690d55fec7c8db17c717e335f9ec49638a68595e03fd7b694234ccd21a2831 |
0 |
0 |
Remote Access Tool - Team Viewer Session Started On Linux Host |
Josh Nickels, Qi Nan |
Sigma Integrated Rule Set (GitHub) |
6c2edf77f04c7ba0c3638548a556ff8b389023df182d1550e0180512d7244d2f |
0 |
0 |
Remote Access Tool - Team Viewer Session Started On MacOS Host |
Josh Nickels, Qi Nan |
Sigma Integrated Rule Set (GitHub) |
3c4a5af05488455cbbc622e1b3dcffe7b7f3894e37e6209d81a162115a1ce002 |
0 |
0 |
Remote Access Tool - Team Viewer Session Started On Windows Host |
Josh Nickels, Qi Nan |
Sigma Integrated Rule Set (GitHub) |
9d82f797fb61b3b2f1f6f4178877e646690abed4bef54b954f510ceae314cae8 |
0 |
0 |
Remote Access Tool Services Have Been Installed - System |
Connor Martin, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
34d687f60f7081819f22b40f767564ddb3f05dba154f9bf5b54b294790adf12b |
0 |
0 |
Remote Code Execute via Winrm.vbs |
Julia Fomina, oscd.community |
Sigma Integrated Rule Set (GitHub) |
38b612a88929aab8a1ee49b6e7616c06ee06da5daeb4e09a215f9c865d870910 |
0 |
0 |
Remote DCOM/WMI Lateral Movement |
Sagie Dulce, Dekel Paz |
Sigma Integrated Rule Set (GitHub) |
76151d6bf2fc3c0b97c2fee917e1a0080357b46b16489662b6fa8263e0496e2f |
0 |
0 |
Remote DLL Load Via Rundll32.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b54d8cf49ff7956497c3752537e0cfeaabc7024d7d9fca9d241be6642ecf992c |
0 |
0 |
Remote Desktop From Internet (via audit) |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
96a069aeb5c6003d5e4ffe4aaf6d30be7b05d356c661367a348514a7c2c5beac |
0 |
0 |
Remote Encrypting File System Abuse |
Sagie Dulce, Dekel Paz |
Sigma Integrated Rule Set (GitHub) |
96236156e2ee08a2c6488cad57235da4ac1f1668452f6d3dfe12cbc63561e4e3 |
0 |
0 |
Remote Event Log Recon |
Sagie Dulce, Dekel Paz |
Sigma Integrated Rule Set (GitHub) |
084e455e139db853ab3b4ab4ab764b1175dafc7b984e75b97342170f20ca55c7 |
0 |
0 |
Remote File Download Via Desktopimgdownldr Utility |
Tim Rauch, Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
007d500df65d3b4648dd4b2a4ac8f56d68be1fd30cbdaa49b85a4562e30045a4 |
0 |
0 |
Remote LSASS Process Access Through Windows Remote Management |
Patryk Prauze - ING Tech |
Sigma Integrated Rule Set (GitHub) |
847efb8ac13cfab516079fc4fc864f42a81274705a40c71c2e343e3ff59586c4 |
0 |
0 |
Remote PowerShell Session |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
48a36a2180adc9f076d8a15c870bb4583783f4984a012d21d17fe64439511244 |
0 |
0 |
Remote PowerShell Session |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
d2a86c0c533d4197640ec3742c4054be9017d215efd16a8d462456a23db8a109 |
0 |
0 |
Remote PowerShell Session (PS Classic) |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
3c98610bc94a5c8803f6eafb310dc123666199b4a9df90abd38486461927a020 |
0 |
0 |
Remote PowerShell Session (PS Module) |
Roberto Rodriguez @Cyb3rWard0g, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
1cef3fd3818cc81e0b14412af94c6998bf6abb8a8d1f5ea344f2457a1f880d4c |
0 |
0 |
Remote PowerShell Sessions Network Connections (WinRM) |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
6590a6d9a0f48ca7180efed5cdf2aadb0d828795034779b5860a47b16c811835 |
0 |
0 |
Remote Printing Abuse for Lateral Movement |
Sagie Dulce, Dekel Paz |
Sigma Integrated Rule Set (GitHub) |
c1395541e69b13da1cc1035bd62879eeb1acfc7c1f1a9893f15c9b59a1c28e79 |
0 |
0 |
Remote Registry Lateral Movement |
Sagie Dulce, Dekel Paz |
Sigma Integrated Rule Set (GitHub) |
fade93fb2f758f1a6346aca4b7934c0341cd25ebab27572619bc172b71009a7d |
0 |
0 |
Remote Registry Management Using Reg Utility |
Teymur Kheirkhabarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
89100186dc0ee80d9ed100f7046a9a131a40270385fdcd8994b102aa36f06ae5 |
0 |
0 |
Remote Registry Recon |
Sagie Dulce, Dekel Paz |
Sigma Integrated Rule Set (GitHub) |
0da2bf3f60f78c0157fba802e07c3429c2db9548a0013bf3b3d2fcb972c63c67 |
0 |
0 |
Remote Schedule Task Lateral Movement via ATSvc |
Sagie Dulce, Dekel Paz |
Sigma Integrated Rule Set (GitHub) |
f0e4f6d27b4fd5dc309f86da16647af515cbdf3ff8216f8cabf86bfc4257419a |
0 |
0 |
Remote Schedule Task Lateral Movement via ITaskSchedulerService |
Sagie Dulce, Dekel Paz |
Sigma Integrated Rule Set (GitHub) |
701f035f5884ee4e19bd1ff43cc70cf5d5e81841ee79396985c6c44acdfd08ef |
0 |
0 |
Remote Schedule Task Lateral Movement via SASec |
Sagie Dulce, Dekel Paz |
Sigma Integrated Rule Set (GitHub) |
9e297ca71464dc800ebb88178374050e41c76cfa93ca53b1c1ac7112ca2a59ae |
0 |
0 |
Remote Schedule Task Recon via AtScv |
Sagie Dulce, Dekel Paz |
Sigma Integrated Rule Set (GitHub) |
646f3e37fe63b5b63d5c4d10d4924628a4bc2b065df2a3ae0a56e0ba7bb881ae |
0 |
0 |
Remote Schedule Task Recon via ITaskSchedulerService |
Sagie Dulce, Dekel Paz |
Sigma Integrated Rule Set (GitHub) |
b783f32d9efa0aebfdad80828d907141658b4b1480d1320fb76eb660d70e23ca |
0 |
0 |
Remote Server Service Abuse |
Sagie Dulce, Dekel Paz |
Sigma Integrated Rule Set (GitHub) |
da75ed5683633515c46fa481740b55f4522cff9f091d422bae1f247e45ce571d |
0 |
0 |
Remote Server Service Abuse for Lateral Movement |
Sagie Dulce, Dekel Paz |
Sigma Integrated Rule Set (GitHub) |
934211e43314d94ed7f6c8efc2244f86909a5b8f30ce068d411a1112499fc69c |
0 |
0 |
Remote Service Activity via SVCCTL Named Pipe |
Samir Bousseaden |
Sigma Integrated Rule Set (GitHub) |
046ceb0cf9b6078b4d6bd583847ee8a30ecc082fb018cd5de8af33d9203a2519 |
0 |
0 |
Remote Task Creation via ATSVC Named Pipe |
Samir Bousseaden |
Sigma Integrated Rule Set (GitHub) |
fde467e8c3cd6651030d60821479ab66e029e1c6541daa5a16b3611959c7b529 |
0 |
0 |
Remote Task Creation via ATSVC Named Pipe - Zeek |
Samir Bousseaden, @neu5rn |
Sigma Integrated Rule Set (GitHub) |
236138dfbc31327293697d57944480418437a91071cb427e4f48f5755f2319df |
0 |
0 |
Remote Task Creation via ATSVC Named Pipe - Zeek |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
92258356e34556c631e9519ae4be82df3ecb4ccaf390d03c459a5df6a3705804 |
0 |
0 |
Remote Thread Creation In Mstsc.Exe From Suspicious Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a66219b9893f218ea353a3d8a78dde7723ef124a5c44bbd9cebee2c0dbcd54ed |
0 |
0 |
Remote Thread Creation Ttdinject.exe Proxy |
frack113 |
Sigma Integrated Rule Set (GitHub) |
189197a49d8126294ed2c23b20893779206b4782cc2551afbbe1722f1d678531 |
0 |
0 |
Remote Utilities Host Service Install |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
049536c134b08489b2b3df8a57a3964bb79a0d00ed73127a72a8a0fa8979dd5b |
0 |
0 |
Remote WMI ActiveScriptEventConsumers |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
820499826df98e19e14c24dac63db285b19863b3c8af168e63e83a6df9d864d8 |
0 |
0 |
Remote XSL Execution Via Msxsl.EXE |
Swachchhanda Shrawan Poudel |
Sigma Integrated Rule Set (GitHub) |
f06fd682fbbc36afc396827d0dbb64111adce81986a9e0c99fdb0eb993c160d1 |
0 |
0 |
Remote execution via sql extended stored procedure xp_cmdshell |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
375cb93c2bb69dad51d360b1936e69ba1b68424e34970ff0b9b9c6b9c98f989f |
0 |
0 |
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e78750ceeb186d5ea5bbcfb7f9ba741b6d8d9978b25212d97a252621b5af87cf |
0 |
0 |
Remove Exported Mailbox from Exchange Webserver |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bdfd4f3c151a5adc98ef77f6ac75cdfd440bb51043d01c27b94e2a5a63f4f4de |
0 |
0 |
Remove Immutable File Attribute - Auditd |
Jakob Weinzettl, oscd.community |
Sigma Integrated Rule Set (GitHub) |
e28706c6a53a1d6ff572114998015648c27e89167c10379905d0cbc361712d41 |
0 |
0 |
Rename Common File to DLL File |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5751a067fbf836a0ec2042f15f744ef655cdc2ee27881317888cbe4b90cd6e0e |
0 |
0 |
Renamed Gpg.EXE Execution |
Nasreddine Bencherchali (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
5a49ecd7f952fdc3a8c06f737a883ee952fc5bdce4fbd1f2d5aa5025ad061150 |
0 |
0 |
Renamed MSHTA launching html |
Joe Security |
Joe Security Rule Set (GitHub) |
eef2c27cd98b92f6ac98d5b6fa781fc1ef9fcb1fc12f0e72db41aa0308a33ad7 |
0 |
0 |
Renamed PsExec |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
d266707276cd7f46b3d33b3a78f17f69e9160d8f795bf07d8c7020b49aad1da3 |
0 |
0 |
Renamed Visual Studio Code Tunnel Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5af3ca2fabb1cc81f223ed0b11170ee66082573a935c386243fb2f002424e947 |
0 |
0 |
Renamed VsCode Code Tunnel Execution - File Indicator |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3467d11ea5d66414bef93a224daeb48123de2243dd60cb03ca3254bcef0a881b |
0 |
0 |
Renamed ZOHO Dctask64 Execution |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0d4118d9a3bcc02c529a5322214c7e45fc4ad36aec272ddc3772230315188701 |
0 |
0 |
Replay Attack Detected |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1113406498002581ef054c392e090b7b400cc3e0301119adfa080cd98c499f9a |
0 |
0 |
Restore Public AWS RDS Instance |
faloker |
Sigma Integrated Rule Set (GitHub) |
1a859b52b21821dc4f0a817ce7326759948e5b2065d00479202bffad5175fc08 |
0 |
0 |
Restricted Software Access By SRP |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a0d00057a0c01bda531d1c9a53a1b51c8167ab1a8a2c4d9d465e44832aef00a0 |
0 |
0 |
RestrictedAdminMode Registry Value Tampering - ProcCreation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5075a0208eb230de355c4c0125a6de311c4310421450c41c6c09a979f9ce0307 |
0 |
0 |
Roles Activated Too Frequently |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
d2214f29236c45bb4e9449fd45ef39c1e55a6a3aad3c6be8b1ba9108d24412c4 |
0 |
0 |
Roles Activation Doesn't Require MFA |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
f3fb0037446d788e29e1262d1d15849decc54eb03e834247e69c18ac923a4316 |
0 |
0 |
Roles Are Not Being Used |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
60ed14e4c1ff20704e2fc54bd659bc4dba9801a0f98b5889fb7c4bb951d31639 |
0 |
0 |
Roles Assigned Outside PIM |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
9f4e9045c66727a675ca6f6b92e4a56b5622d0e6279fbeb6e5337061dd2512bd |
0 |
0 |
Root Certificate Installed |
oscd.community, @redcanary, Zach Stanford @svch0st |
Sigma Integrated Rule Set (GitHub) |
fde7c67804bf2f25cc674d242987b96bb244126d9568bceb7c9a208193fe66a6 |
0 |
0 |
Ruby Inline Command Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4e72a03a2703fcfeb3890299c29d7d61e57b5eb6ed8a9aaf75ee955c0f035e09 |
0 |
0 |
Ruby on Rails Framework Exceptions |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
b3e15ce29c0578285d8af1d8092873431b79ef0d74202d48d1b55dccaaa861de |
0 |
0 |
Run PowerShell Script from ADS |
Sergey Soldatov, Kaspersky Lab, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b0a64287d64cf778925e076c13aae743cdb5da1000efa636d98364e0e42edf83 |
0 |
0 |
Run PowerShell Script from Redirected Input Stream |
Moriarty Meng (idea), Anton Kutepov (rule), oscd.community |
Sigma Integrated Rule Set (GitHub) |
64fc279e6738ccc6db931977799249729de73acffc5034f83e3094bc34ab2011 |
0 |
0 |
Rundll32 Registered COM Objects |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7c35c5e190d2003a2d4041136456fdb91373e2bb241bae4f3e196b6cf9791dee |
0 |
0 |
SAM Dump to AppData |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cdbc62d2dc895924c046364f27452f287723a2b72efb654ba041280d91f69acd |
0 |
0 |
SAM Registry Hive Handle Request |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
d98473553a7ba81cf9e2ce17e305853d35be853a95ef549fc405dfa67f646391 |
0 |
0 |
SAML Token Issuer Anomaly |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
6fe6438e68fd6c9ff792e33bd2c36f00afdb69d926012d0f29682658c996286f |
0 |
0 |
SCM DLL Sideload |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f591d8827dd487431d191a08c0ef0b3002b70d07e4be97d0eeebe789ec5a6c25 |
0 |
0 |
SCM Database Handle Failure |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
4b5721fb3c1349a8cd1a6f9e87bed2fef39d379476067fe7fe05c685e4a9a382 |
0 |
0 |
SCM Database Privileged Operation |
Roberto Rodriguez @Cyb3rWard0g, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
30a1135097fc1ebdc8fe0b030918fe2ad05ad4512d17062d8d1920bdd5cfbdbb |
0 |
0 |
SES Identity Has Been Deleted |
Janantha Marasinghe |
Sigma Integrated Rule Set (GitHub) |
8489090038621dd5392b648970249cd8c9c766f53b29337d3382719ef8d5dee1 |
0 |
0 |
SILENTTRINITY Stager Execution |
Aleksey Potapov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0f63070b903766c40f1681e44325de9e396c2b6dd03613b2686896de828564fd |
0 |
0 |
SILENTTRINITY Stager Execution |
Aleksey Potapov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
8275c8ed59f78788721cb0f9d2fe01fae3fbfd381cd3c846fe2715c4a5f8adfc |
0 |
0 |
SILENTTRINITY Stager Execution |
Aleksey Potapov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
e20a4ca9a2ec3dbe28c1851ecdb7656f0b386147843cdb3a7f3d749bfb40defd |
0 |
0 |
SMB Create Remote File Admin Share |
Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
8ca9660ea1755b4e1702a1cae3092454355f15fc519799fdb87d3e6839afa23c |
0 |
0 |
SMB Spoolss Name Piped Usage |
OTR (Open Threat Research), @neu5ron |
Sigma Integrated Rule Set (GitHub) |
01306ab05e6ee3fec1a74538de482f1e109754346730be0a73742b46a7c7eaeb |
0 |
0 |
SMB single file created then deleted successively |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
7ffa016b10d3241bd89a2006ec066c969c740b97ae3cf7ec5cc91eabf2c6335d |
0 |
0 |
SMBv3 Compression Enabled |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
5f65bceb308a9da7f66986e86311c701f4f34184d1833cfc7e465767fb18a102 |
0 |
0 |
SMInit exploit chain |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
e0fca2cc0e2ed43fc1a0c7b399ded68159180c4f82074a3f3124e26c3139fc6e |
0 |
0 |
SMTP Email containing NON Ascii Characters within the Subject |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
5b50e56fccf5b9b41516c2fc14cbfb85fad941e5eacb051891a2493db49fac93 |
0 |
0 |
SNAKE Malware Covert Store Registry Key |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
286b122eca59824270b1adc399c30c3b1f3c68085962301cabed356fac8f308d |
0 |
0 |
SNAKE Malware Installer Name Indicators |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
18a353fd9b7db6facb29c0c73ebbfd6f4dce4015f7d410371d3509a3d67371e2 |
0 |
0 |
SNAKE Malware Kernel Driver File Indicator |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c285daef847eb612384249dd8ce4054ccb3b8e877013c7bbc4a958e8c25d66c1 |
0 |
0 |
SNAKE Malware Service Persistence |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a4cc0f73c6009fcd80147af40027b2902c5525519aa27fb56cba802ecf4e011e |
0 |
0 |
SNAKE Malware WerFault Persistence File Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ad153b7af83236ec911a9dea2a21c28c85a22c4a47925296a3dae8cbe4590261 |
0 |
0 |
SOURGUM Actor Behaviours |
MSTIC, FPT.EagleEye |
Sigma Integrated Rule Set (GitHub) |
225f115c0a824b3ec735568b05a49394fa6da38bcdc9e2f71661b34a9bde1c53 |
0 |
0 |
SQL Client Tools PowerShell Session Detection |
Agro (@agro_sev) oscd.communitly |
Sigma Integrated Rule Set (GitHub) |
8e776e236be945ae976b2513cef49318e8986b57ab334e2a8f2a9968f4a3081d |
0 |
0 |
SQL Injection Strings In URI |
Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank) |
Sigma Integrated Rule Set (GitHub) |
7940d1dd84f2a311d67ac511006deeead549c05a4cadaca9908e1071a153106c |
0 |
0 |
SSH Inference Abnormal Client Activity |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
213b04a00fc3394df6cb347b642ceb29f5e7294a1d6d7203e21998962369643a |
0 |
0 |
SSHD Error Message CVE-2018-15473 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5ac7c90edd2ba8133a86c284d95dae84b58026895599a4943646e0e39367e995 |
0 |
0 |
STOP Ransomware and Vidar Ransomware detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
4ae55153d32cc3b88c7e99d12dbcc4db828e7f96ec3ccbe3b8f662ef4d09e2ef |
0 |
0 |
SamoRat Behavior (sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
2fbdd381a1c20671e2c9bd733e716a02c99a470023981c60de3e3402ff08313f |
0 |
0 |
SamoRat Behavior (sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
60faa771bf16cc7cdbc224436c0b3d9d093455f39f5b6094fe2dc5614ca2b130 |
0 |
0 |
SamoRat Behavior (sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
8a1644eccd8d683fe61a26387c655e1d85bff90b49640b5d8c65940e4e1973d0 |
0 |
0 |
Scanner PoC for CVE-2019-0708 RDP RCE Vuln |
Florian Roth (Nextron Systems), Adam Bradbury (idea) |
Sigma Integrated Rule Set (GitHub) |
6b75b0b00b5529a6a6d3fcf1ff03341ca43c3fa7fdfcc055f26dd0ba221f2213 |
0 |
0 |
Scarab Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
67396c2c1e0ebec89ce7662df24f8bed3f20cbe387e6a2b465188037e579b084 |
0 |
0 |
Scarab Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
e1354c1cc16fda38432e3dd01a191f253341fe937e23156238d85e90d8191395 |
0 |
0 |
Schedule Task Access or Manipulation over SMB |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
c155230c5fcc90d90646898aa82112b6f73ac2e0dc430ad9dce7826e28297cdf |
0 |
0 |
Scheduled Task Executed From A Suspicious Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
15b780610320e0cfabf2c7f2a3e99c7fe20a876e623b1766cf12e063459a4a1b |
0 |
0 |
Scheduled Task Executed Uncommon LOLBIN |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6ddcecbde6b55aeeb520ebbf03e191e6d557ab30f54057044b5bc55ec773be40 |
0 |
0 |
Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor |
CISA |
Sigma Integrated Rule Set (GitHub) |
c8954187d9d21d8eedbeb881855b447aa93d6b5059bb535e561276097048e844 |
0 |
0 |
Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler |
CISA |
Sigma Integrated Rule Set (GitHub) |
a6e446aea0df0c06f82209e8090a738e780fb85921275f71e955ea8b289811f8 |
0 |
0 |
Screen Capture Activity Via Psr.EXE |
Beyu Denis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
959d7cd5c3bea11a5cd183693349bf492efb4f2d787903a7c74a5c24cbc60b34 |
0 |
0 |
Screen Capture with Import Tool |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
ea2f87ff45a684c78cb46d65af3705037b7721905ce237e6daa335a3fd7b5769 |
0 |
0 |
Screen Capture with Xwd |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
c3c6c21ad23cac48bdee8d46a0a64de20e48510c5ed1617d23cb328129b7f580 |
0 |
0 |
ScreenConnect User Database Modification |
Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress |
Sigma Integrated Rule Set (GitHub) |
caa995267b72e6c9534b4b29cf06953f3b30ac6a92293200b6ef29f73e66a5b5 |
0 |
0 |
ScreenConnect User Database Modification - Security |
Matt Anderson, Kris Luzadre, Andrew Schwartz, Huntress |
Sigma Integrated Rule Set (GitHub) |
ff0d812436f093b3eaafe438c81181a7f8d8fed42babe673e7ebd4b0fcb6f330 |
0 |
0 |
Script Host Engine Modification |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
fcd207e8b19603f1d4e5450c04a2007f88780ea51861992a3e346474d646cbbd |
0 |
0 |
Scripted Diagnostics Turn Off Check Enabled - Registry |
Christopher Peacock @securepeacock, SCYTHE @scythe_io |
Sigma Integrated Rule Set (GitHub) |
9274cf922b3625879a3f420c530d8b660107daf65fa7b38b8b5f369fda1f9550 |
0 |
0 |
Search-ms and WebDAV Suspicious Indicators in URL |
Micah Babinski |
Sigma Integrated Rule Set (GitHub) |
78505d9583fe31f0583ad71ece5f1245f3f2eefb8905ca8688d9feeb476709d1 |
0 |
0 |
SectorB06 Behavior (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
6ffdda4e9d83f1b99a99568822f16d5a5a458ffccdb25fad469aaf2dbb8f0dd9 |
0 |
0 |
Secure Deletion with SDelete |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
183ca715ffa97f30b076bb2c8793c0cb64221f3ad05c65fb425e3a38faac3645 |
0 |
0 |
Security Event Log Cleared |
Saw Winn Naung |
Sigma Integrated Rule Set (GitHub) |
f32dc431e5951341656e9d55c58e0047b56f1beee18a05bd2b1e816ddbd10a17 |
0 |
0 |
Security Eventlog Cleared |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
152b1150f7da94998822f9e55f3591b37d319fd7ce375004d24703a99aa957a5 |
0 |
0 |
Security Eventlog Cleared |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e20a3a5b38df7ceb5e94712485f6285fdd2ca0b40cf0a5eed31a42bbc779e4ff |
0 |
0 |
Serv-U Exploitation CVE-2021-35211 by DEV-0322 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
624b1600e93d3b9c6146b0136e00c73c8c809fe24a3f5299cbd4de5d727d1833 |
0 |
0 |
Server Side Template Injection Strings |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8be6ef597decb64e9ab2582c7dd28a516b83e83d5c4b5850af7a0b6eac340c2c |
0 |
0 |
Service Control Manager Communication(RPC/TCP) Modification |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
b7809c2203acd7e06846efb5d0cddd1ab656f1e9f41b1f1bbff1bf84603a0a48 |
0 |
0 |
Service Installation in Suspicious Folder |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ecc2d5e13f4048a943326cbda15ec3d934a2379d58b271ad16c46189579f9c7d |
0 |
0 |
Service Installation with Suspicious Folder Pattern |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fb2028325a4f87324e9edcb5b742eda0a4ac7bade1e145f5e58a007aba469d7f |
0 |
0 |
Service Installed By Unusual Client - Security |
Tim Rauch (Nextron Systems), Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
4ae747251f5a1ed8f070b4c0ecfc3352b9da4943765ab946543ffdde7c756baa |
0 |
0 |
Service Installed By Unusual Client - System |
Tim Rauch (Nextron Systems), Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
fdf624a22581cc3c063ae7fd1e4dd1e99a58b3ef843c6986807c58c5ca7b7bd5 |
0 |
0 |
Service Registry Key Read Access Request |
Center for Threat Informed Defense (CTID) Summiting the Pyramid Team |
Sigma Integrated Rule Set (GitHub) |
7fa1be381c006dfeba6f964575748edc6519587e19f58682a109bada3be7b59c |
0 |
0 |
Service Registry Permissions Weakness Check |
frack113 |
Sigma Integrated Rule Set (GitHub) |
12c54ba61c9b654789342d689a197406cec675bbda5716b7749539b147856e21 |
0 |
0 |
Setuid and Setgid |
Ömer Günal |
Sigma Integrated Rule Set (GitHub) |
8c6d633ce7d27d281b8cc113ebb409901529acad5564c5a8758ac987fc31b2b7 |
0 |
0 |
Shared Webroot |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
3dbc7016da1cb9e2f97a1a07a36ceac8fa6a6df1669425785241bc69b0d6d966 |
0 |
0 |
SharpHound Recon Account Discovery |
Sagie Dulce, Dekel Paz |
Sigma Integrated Rule Set (GitHub) |
82d74781c34f25d3963d40a84d98293c4a767dee41198122dbcdc066b41aad22 |
0 |
0 |
SharpHound Recon Sessions |
Sagie Dulce, Dekel Paz |
Sigma Integrated Rule Set (GitHub) |
fcde4bad2b316aa5c50739fa2789441e354c796e17de4002c9f4dfc70d6b19f7 |
0 |
0 |
Shell Execution Of Process Located In Tmp Directory |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
2222191f8dbc0e4567d362898966f0d346e7e7390085bc83070b25f0e2d1a43a |
0 |
0 |
Shellshock Expression |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c6e62a3980f00e65b47fe7e5da5be2a0c6a37bd3ba4b893ee3c533fea9a42f74 |
0 |
0 |
Sign-In From Malware Infected IP |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
7c2cf63a01529bf63e4ed859c3d334960b8ec287edeb2f3dfa7c3abfe6bfb47c |
0 |
0 |
Sign-in Failure Bad Password Threshold |
Corissa Koopmans, '@corissalea' |
Sigma Integrated Rule Set (GitHub) |
6bf6fec1da30b8d431f68ac226d24159012838564f9beeca79a4c213bababf14 |
0 |
0 |
Sign-in Failure Due to Conditional Access Requirements Not Met |
Yochana Henderson, '@Yochana-H' |
Sigma Integrated Rule Set (GitHub) |
9094c41d2c9288a3a78c9fc7618fd76d15838e94943d4729b7a29b073c5806f2 |
0 |
0 |
Sign-ins by Unknown Devices |
Michael Epping, '@mepples21' |
Sigma Integrated Rule Set (GitHub) |
96b99f7206b6b8aca46b96048c5bff459ae8f2155805d43770f16914eb023669 |
0 |
0 |
Sign-ins from Non-Compliant Devices |
Michael Epping, '@mepples21' |
Sigma Integrated Rule Set (GitHub) |
e58716418a4b598e01a2ba107b73a1510daed3d3576704d86d55dd211cf4b2fb |
0 |
0 |
Silence.Downloader V3 |
Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community |
Sigma Integrated Rule Set (GitHub) |
357adfc0bd514a2087509d1a67412a62f8823fd9caa3b6bcb80328828f9ed240 |
0 |
0 |
Silence.EDA Detection |
Alina Stepchenkova, Group-IB, oscd.community |
Sigma Integrated Rule Set (GitHub) |
48a4a06b77cb84b45614503f3dd1035f0a83b236c4f840f9feab9be366a47d1d |
0 |
0 |
SilentProcessExit Monitor Registration |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
11ecefcf79daf3998440bd34d870da91d9c7644eb708e0f933349a5ec077fc87 |
0 |
0 |
Sitecore Pre-Auth RCE CVE-2021-42237 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ad5d590f46596f06240eee4586f7acc7d925fcf0ea9f364266b902bedd614224 |
0 |
0 |
Sliver C2 Default Service Installation |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
73157d5ea395adeaf1723c8c84248879d4189a305b0c332f3bed48eb0f00fed5 |
0 |
0 |
Small Sieve Malware CommandLine Indicator |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ee6c995a1e51ef35a2acd3d7fb9a6270865ae48e8e97fb9d5b54d5dbff7ede11 |
0 |
0 |
Small Sieve Malware File Indicator Creation |
Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a5e1682ac1131f69642630802a35b4640016f5c05b8e5f3c79433bfa04ead1f1 |
0 |
0 |
Small Sieve Malware Potential C2 Communication |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
438093b5ebf25921ae4e01d62578bd2d7f449a265706be0d5e6f0d043ab61afc |
0 |
0 |
Small Sieve Malware Registry Persistence |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a6c980e209ade1d1ed5e1ff396f56524c18e4268c151f397bd45d6b5e8367c40 |
0 |
0 |
Smoke Loader Behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
0f0b6b52e3342eb0329e8ff51f0683aa5892c55d6d44aa49fcdbdf0f25761103 |
0 |
0 |
Smoke Loader Behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
8d6d3b800ba936bb6910fd8bbf9551207e2288db95a5dafa6474e8a1d2f2d5fc |
0 |
0 |
Smoke Loader Behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d4f0a8b263fcf2d7b93ad451aab578895046944691b0ea3e4379ef1e9ccf7937 |
0 |
0 |
Solarwinds Launching Powershell With Base64 Encoding (via cmdline) |
SOC Prime Team, Microsoft |
SOC Prime Threat Detection Marketplace |
30b4784c9d03d78a809bed19df233f6f95fc2c8325b32af97e0b1b8d24c6676e |
0 |
0 |
Solarwinds SUPERNOVA Webshell Access |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
81250a3a43500530ef04ff62b918cc5690b18cc4d09b4f77315012231acaa8bd |
0 |
0 |
Solarwinds launching cmd.exe with echo (via cmdline) |
SOC Prime Team, Microsoft |
SOC Prime Threat Detection Marketplace |
0174ab54fed285f5c38eceee197f8a60debfec2c3aa590604079831c288a9fb6 |
0 |
0 |
SonicWall SSL/VPN Jarrewrite Exploitation |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e272203177abd4fd109dd93ae0e9913836f80a81b43eec0c819720c72843582c |
0 |
0 |
Sophos Firewall Zero-Day explotation (Asnarök attack) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
abea43cce1ab59b98d083a4bc5077c3e4acd49c745ee202f392405853fd46664 |
0 |
0 |
Source Code Enumeration Detection by Keyword |
James Ahearn |
Sigma Integrated Rule Set (GitHub) |
91e80be4f3cb482bed8e242eb9e418e4fee5b1aaf32e61f4ae6d7def7d537d66 |
0 |
0 |
Space After Filename |
Ömer Günal |
Sigma Integrated Rule Set (GitHub) |
96dade50824ff0a3a7ba5d5a9abc82419f0df174afff971fe0d7d87e74061785 |
0 |
0 |
Split A File Into Pieces - Linux |
Igor Fits, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3adbeb64ee2cc89f2825fbd133547fe3d84aac1ee5d48faaf2375b7c8364f74b |
0 |
0 |
Spring Framework Exceptions |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
b9855abb1feaca99e5181199bf4d256c29f0150d137ed61e9cef83ce27764295 |
0 |
0 |
Stale Accounts In A Privileged Role |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
6d400ed2347a68bfd63c4c9a884df17a9b73ea2eadfc65f4d6056d00d13d0e08 |
0 |
0 |
Standard User In High Privileged Group |
frack113 |
Sigma Integrated Rule Set (GitHub) |
140f4579c57f055d3465794c871b82107ea1afc8f6eade149c3957e99b7a8d3e |
0 |
0 |
Steganography Extract Files with Steghide |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
9e28a144fe3121ecd3d91e846d0e1d5fb7be043db90ebdcda4ce1ddc629e0b78 |
0 |
0 |
Steganography Hide Files with Steghide |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
2bc5697bb7a12c272490c67a3d83002e19dfb4722525786e91a4fba4c8b9ee97 |
0 |
0 |
Steganography Hide Zip Information in Picture File |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
bb93f264dbaa005c9bc379b7db5eaa5cd680009288c824a9916340aef05188bc |
0 |
0 |
Steganography Unzip Hidden Information From Picture File |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
100e9962a68f74be52b70ad11285a16a1d1aa29e419831b60158672ee356b344 |
0 |
0 |
Sticky Key Like Backdoor Execution |
Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
baf8cb1a268fb3d9173b5474a184cb8fd04489192832ac12dcd4d826248523b2 |
0 |
0 |
Sticky Key Like Backdoor Usage |
Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
210403ed0765f9206944ba0e7ae9a7fed3b74606aa7d5defd92b45c7565c50b4 |
0 |
0 |
Sticky Key Like Backdoor Usage |
Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
846842612cb81a07c0a4439f34127f7229a040a0618300a962ad5a95316f5417 |
0 |
0 |
Sticky Key Like Backdoor Usage |
Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community |
Sigma Integrated Rule Set (GitHub) |
bec9d927518cb9af8ee98a6cde08e6a1f05090534e3b3c24e8ced8ae93e15311 |
0 |
0 |
StoneDrill Service Install |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
09c420a38066758c0236577ccb5fd401e138351217d25dbeae1220521c446472 |
0 |
0 |
Stop Or Remove Antivirus Service |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7c4cece5b540c72f100dd8b8b7fc1c10727460ec0f36c75249e28ed51d6348ef |
0 |
0 |
Successful Account Login Via WMI |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
19ef4372b7c2775276ff1cd9b0da8737a7f6e8739d252d7f90e3f3ba296d1c78 |
0 |
0 |
Successful Authentications From Countries You Do Not Operate Out Of |
MikeDuddington, '@dudders1' |
Sigma Integrated Rule Set (GitHub) |
97943fe57ba127d66118662bbf0978fa8ba9f641660a7e32ae61103ccce8f6e8 |
0 |
0 |
Successful Exchange ProxyShell Attack |
Florian Roth (Nextron Systems), Rich Warren |
Sigma Integrated Rule Set (GitHub) |
e33130e6f328543f0b8bb35ef1bb2f92e015fe84965c32bf1d82d85dd00e1c1c |
0 |
0 |
Successful IIS Shortname Fuzzing Scan |
frack113 |
Sigma Integrated Rule Set (GitHub) |
a46c1f051bcaa146c4a9adddc286b70714cb1365fe10a19aa2dcc7fd1aaaaf0f |
0 |
0 |
Sudo Privilege Escalation CVE-2019-14287 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
01dc28806687bbabc12e4c23cb8e022a4a81f459e26a267f34656b9e1aedf31e |
0 |
0 |
Sudo Privilege Escalation CVE-2019-14287 |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
284295b46bb8dd089813e305d695c5a0d85a5bde29f85e014d643b3cf63bbeb7 |
0 |
0 |
Sudo Privilege Escalation CVE-2019-14287 |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
37747140310b15c961b277ca418c6bcac1cfbd1a54e54df2a20cf743aa17f317 |
0 |
0 |
Sudo Privilege Escalation CVE-2019-14287 |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
75e40e43cc29db5d459f59bcc8d869264e37cb55976f57b0d731c18039306935 |
0 |
0 |
Sudo Privilege Escalation CVE-2019-14287 - Builtin |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1ddcb9d1b179a17e011ac90c0294b7768bd99cc9d2a79c0df5506d870771953c |
0 |
0 |
Suspicious ASPX File Drop by Exchange |
Florian Roth (Nextron Systems), MSTI (query, idea) |
Sigma Integrated Rule Set (GitHub) |
bb948403cd4897a7fa0bd4130c539655d1c16b15598553c6a34568c919031785 |
0 |
0 |
Suspicious Access to Sensitive File Extensions |
Samir Bousseaden |
Sigma Integrated Rule Set (GitHub) |
c31fff6fad64dfd4138d6e166a46e20bf4a25db7117bc20b82965e7ed11982d3 |
0 |
0 |
Suspicious Access to Sensitive File Extensions - Zeek |
Samir Bousseaden, @neu5ron |
Sigma Integrated Rule Set (GitHub) |
375d7fe36535214203bd98ae8bf81aecffb58ea5ae11de354f0140e7390327e2 |
0 |
0 |
Suspicious Access to Sensitive File Extensions - Zeek |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
50e6edda507653e781908aed57ac737c10463c8aa7a2b28ec7724a716c0c9073 |
0 |
0 |
Suspicious Active Directory Database Snapshot Via ADExplorer |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ba06f41f0cdacccc90e44cfd3d87282153f8adf3929671a78d84cc924d544d21 |
0 |
0 |
Suspicious AdFind Execution |
FPT.EagleEye Team, omkar72, oscd.community |
Sigma Integrated Rule Set (GitHub) |
cb903e3e20e158519f1431d1978e1d50abf68706bbedd496258a99a785f2ec00 |
0 |
0 |
Suspicious AddinUtil.EXE CommandLine Execution |
Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) |
Sigma Integrated Rule Set (GitHub) |
8e1481adb39891d6dedeae88dcb07eeaf15bdd7e3a2411e61516ade49fdb1628 |
0 |
0 |
Suspicious Advpack Call Via Rundll32.EXE |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0b62708afeee4149ceb2b9d28723f6851c429573dd87fbc76b0b636af1727e8d |
0 |
0 |
Suspicious AgentExecutor PowerShell Execution |
Nasreddine Bencherchali (Nextron Systems), memory-shards |
Sigma Integrated Rule Set (GitHub) |
30db6ed0e00254321424a7bd150a6b32fe024744b95caf6061d268915c83db15 |
0 |
0 |
Suspicious AppX Package Installation Attempt |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6b4a6f38adb95b4288c5c7c4c6f3a34360d4cb29c89ff54dab085eb5e18e3b82 |
0 |
0 |
Suspicious AppX Package Locations |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
55c78abcc295575b4d679261b5d8385d80a02e702af4d0d15071711dbc30ada7 |
0 |
0 |
Suspicious Appended Extension |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3b0fe70c5a9b47ff8d77e014a4b885539419686f60c19c48801ec4b9dd125a18 |
0 |
0 |
Suspicious Application Installed |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5d1ced4a52f1f5a2b91e544db707099bb9c97b4406e604c377a19c9392192e0e |
0 |
0 |
Suspicious Base64 Encoded User-Agent |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ae5033bec68378ff3903219d0a081175cb289d5510c82f33a09a0fa3f99b2c2a |
0 |
0 |
Suspicious Bitsadmin Job via PowerShell |
Endgame, JHasenbusch (ported to sigma for oscd.community) |
Sigma Integrated Rule Set (GitHub) |
84a714b787a32a4edd32972c4a71a7d66d4a250549ad6c4b1a3faeb077c0bce6 |
0 |
0 |
Suspicious Bitstransfer via PowerShell |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
b19ad60b757e0d750b6426b1bf5fc68b705f7acf21dabd6e2a59f369493ff2e8 |
0 |
0 |
Suspicious Browser Activity |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
9b31bddf669715edd1e978f07fa5c4a8cf9a5ed6e397147cc565b04c0b076db6 |
0 |
0 |
Suspicious Browser Child Process - MacOS |
Sohan G (D4rkCiph3r) |
Sigma Integrated Rule Set (GitHub) |
568d8c64405dbe084d6462ee2205872cab0363d87a06ed836afe3a660048a901 |
0 |
0 |
Suspicious C2 Activities |
Marie Euler |
Sigma Integrated Rule Set (GitHub) |
7f495f7056b28211483e60f8f0510254ee64903ec5d127b9b822b085833218e9 |
0 |
0 |
Suspicious Camera and Microphone Access |
Den Iuzvyk |
Sigma Integrated Rule Set (GitHub) |
f73e458cd36aac62c3443939924222027b1344d84127a52bf5623bcc692c86fc |
0 |
0 |
Suspicious Child Process Created as System |
Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) |
Sigma Integrated Rule Set (GitHub) |
84856c029af862b4a726da5944e6a57aaed5fda15c317414f9afeb3941c0010d |
0 |
0 |
Suspicious Child Process Of Manage Engine ServiceDesk |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9eac0a588f2d6d66552a47daa72a61d19949836c752ad630ccd820e1593e7565 |
0 |
0 |
Suspicious Child Process Of SQL Server |
FPT.EagleEye Team, wagga |
Sigma Integrated Rule Set (GitHub) |
084aa83f6231ad8f1641d3a19e8fd1cfef9a9cc7c1be4c416fdaf86ff56071fa |
0 |
0 |
Suspicious Child Process Of Veeam Dabatase |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2dfee20411a27951e5561930e00a23b00d204c747c364defaf050fb9679ad74e |
0 |
0 |
Suspicious Cmd Execution via WMI |
Tim Rauch |
Sigma Integrated Rule Set (GitHub) |
8c78d38861194b5331809156fa1e3df49456c4e1d9d52a1705ed9ffbd28295d6 |
0 |
0 |
Suspicious Cobalt Strike DNS Beaconing - DNS Client |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
16333814c2a5d64593f4c8ea166415d71d1da9a6342322c8bf683d2931872098 |
0 |
0 |
Suspicious Commands Linux |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3458d203410df750034bc6a6cf707cf905639d4ded28fbafac96941e0a0ec53a |
0 |
0 |
Suspicious Compression Tool Parameters |
Florian Roth, Samir Bousseaden |
Sigma Integrated Rule Set (GitHub) |
9ffd116f512698b4f9b310ee5526625ddf70dc16d7e3a87e744f709c8b537b2e |
0 |
0 |
Suspicious Computer Account Name Change CVE-2021-42287 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
367ee44bfca23688ae0b0af0a5b6d5e824e751b28ac7849d1648bafb35b0448f |
0 |
0 |
Suspicious Computer Machine Password by PowerShell |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c5921c926dcae921e9359276449f92b2c6f72168039b08968ce25b5b9b6d2e69 |
0 |
0 |
Suspicious Control Panel DLL Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0791036b2af8420cef203df27c7840172deaafc554441f24ba507cd69d0d79e3 |
0 |
0 |
Suspicious Curl File Upload |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
63ca787b0e9b439877ff859851c650e60a39c37447b6c96420cafc38d94331db |
0 |
0 |
Suspicious DLL Loaded via CertOC.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
506c72069a947a783eff1ae29f031edb5f898bbd365dbe9a4b9e20d502a338fb |
0 |
0 |
Suspicious DNS Query with B64 Encoded String |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7c4c3ea7b520b1ed475e29a999863beeb5301ce2a0cee83a0b246f19f1e0601c |
0 |
0 |
Suspicious DNS Z Flag Bit Set |
@neu5ron, SOC Prime Team, Corelight |
Sigma Integrated Rule Set (GitHub) |
9520587a618269e5bf36ca31426edd352f0894b0dd96480e2a48554e5794148a |
0 |
0 |
Suspicious Desktopimgdownldr Command |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
beb013be28477c7cc6a96b5e49885366af682311b00c0ad036f6df272f0d73bf |
0 |
0 |
Suspicious Desktopimgdownldr Target File |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b01cb061a8ed4c005cf232ea599f09e2e3fdcc4033c23e74729723958607fce3 |
0 |
0 |
Suspicious Diantz Alternate Data Stream Execution |
frack113 |
Sigma Integrated Rule Set (GitHub) |
5888f710b830080c3505ccf3c3631d57eb9bd8be6b13d067fe7926dae9e72dc4 |
0 |
0 |
Suspicious Diantz Download and Compress Into a CAB File |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b05a48e704cc2fbb722e3b3533e7b741751d8699bff15f6f28571133fe7611da |
0 |
0 |
Suspicious Digital Signature Of AppX Package |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
db7f6bed5d0dde14215ada7781fd59838f617a3ed31d01856d67278595f9379f |
0 |
0 |
Suspicious Download from Office Domain |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a93dc62f3906167da8a6825eb9c1d7bd2ce6bfbb4ab3182329221f812e8374ee |
0 |
0 |
Suspicious Driver/DLL Installation Via Odbcconf.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
65e3d138ed59a381f2121f1d92dd8a80147497df2a2bee2bc63c44f7364c5aab |
0 |
0 |
Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
68d6bc153d363f0b968563eca5ffe6c76c6d32f22825add51854906ff183796a |
0 |
0 |
Suspicious Encoded Scripts in a WMI Consumer |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
06b69d9fb47d54903b8bff29c64d3bc3ad88eab8d9196cef1ed669080b206973 |
0 |
0 |
Suspicious Esentutl Use |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
6374ec2e5ca4f1bca3332d137882a6526e7230b5207c4de514d3b0a0a1e94fcb |
0 |
0 |
Suspicious Execution From Outlook Temporary Folder |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e10440993b0b656a1a8c6d3b8e4bbc81af5b7f7cc7b8373de18dea6d80adae4e |
0 |
0 |
Suspicious Execution Of PDQDeployRunner |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7eef5c9bd546630ea12c91d57be092b4b9c9c7bb400252d422d80fef08097b68 |
0 |
0 |
Suspicious Execution Of Renamed Sysinternals Tools - Registry |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3ed6b9d37bd18283aa0d9e4ac90aef6a16c846a026c995947ad3915d552813bb |
0 |
0 |
Suspicious Execution via macOS Script Editor |
Tim Rauch (rule), Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
f0e34536a6290168b216e957004a27eee324dcd551ef6097f4c5e2a515716720 |
0 |
0 |
Suspicious File Created Via OneNote Application |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7dda8606bb329894f043ccf94ac62751c19f87d742ee8e00c88e01c57396e685 |
0 |
0 |
Suspicious File Download From IP Via Wget.EXE - Paths |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dc442ba4eb2bab0b5a2f42888b64899ee8df157a9421844d7357df76d6fe92e6 |
0 |
0 |
Suspicious File Drop by Exchange |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8c8367f9dfc37168dc6405916b58e6caff596c82302bc0f975ab1a15bea01c96 |
0 |
0 |
Suspicious File Execution From Internet Hosted WebDav Share |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9d307b7c423134f5ddcbc65c0c787b0ca177d16056abb95987cbefda5e9da1ed |
0 |
0 |
Suspicious Files in Default GPO Folder |
elhoim |
Sigma Integrated Rule Set (GitHub) |
9d0460b05a7d5059e94192f430c619de34ed01b40a776ef07c0f4ca8e7c63c6d |
0 |
0 |
Suspicious Get-ADDBAccount Usage |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ff976c058f98951f888acebc22c718cfa0989294f531a1dee5660a0c1c06f0f3 |
0 |
0 |
Suspicious Git Clone |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fdc5241371963b85bfc8bc1454a8f964643600a35323a9a168c52bc0946b6b50 |
0 |
0 |
Suspicious HWP Sub Processes |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
609a26363ca1233fc9637c9ef8d9c18feb2dc0dcf6b98ccb949a1913e739c3dc |
0 |
0 |
Suspicious High IntegrityLevel Conhost Legacy Option |
frack113 |
Sigma Integrated Rule Set (GitHub) |
1c0964b913350c2d2ed7914e864e3859a758fa1ad84f1d29bce1638f60ee6073 |
0 |
0 |
Suspicious History File Operations - Linux |
Mikhail Larin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
946d8ac00870587827118a553b9209dbf76acb7e909425d91f177bde98fc1401 |
0 |
0 |
Suspicious IIS Module Registration |
Florian Roth (Nextron Systems), Microsoft (idea) |
Sigma Integrated Rule Set (GitHub) |
97ed6692fb3bad1771a95890c0a60a75f26be235da6ecc615103c8c33c1aa15f |
0 |
0 |
Suspicious IIS URL GlobalRules Rewrite Via AppCmd |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4a406b126347953cfe315d80f4267d30c93678ba59268330212e6a37000467c8 |
0 |
0 |
Suspicious In-Memory Module Execution |
Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
4e3a7d5df089d2d7c80cf84bbba4e8a4363101ac03f6a9c758101f0c1bb010a4 |
0 |
0 |
Suspicious Inbox Forwarding |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
487fc5687e250bef85f8102efa69086f801e489db41cb0f01c4bf4b1ed4827f3 |
0 |
0 |
Suspicious Inbox Forwarding Identity Protection |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
30a57d6df72040349e0b9303a098e739e49dc892557557d2e0d19fa4ec70e21d |
0 |
0 |
Suspicious Inbox Manipulation Rules |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
0744feb248d2d5a5ce8ae7169c1aa48667c8b870c41b6e34f5743a5c35fa8433 |
0 |
0 |
Suspicious Installer Package Child Process |
Sohan G (D4rkCiph3r) |
Sigma Integrated Rule Set (GitHub) |
ac632f049b50fccac2801c1fb8b5a27b1f771e75fa4dfe7614037e08985cb23d |
0 |
0 |
Suspicious Invoke-Item From Mount-DiskImage |
frack113 |
Sigma Integrated Rule Set (GitHub) |
b39494f0c815f838357a670dc6b43d13f4a3ab92f2ce9cac04909e1b3e2fcade |
0 |
0 |
Suspicious Java Children Processes |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
672d1dbc057ebe6a59b879830826dcffb12c0c7f1a97d0c00e18412e7746429f |
0 |
0 |
Suspicious Kerberos RC4 Ticket Encryption |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7f2bb7e386b3f3d057b64c70d36264a2c7163a1215e88b8731f9b87d919ca77d |
0 |
0 |
Suspicious Kernel Dump Using Dtrace |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f1a72edd07dd4c90ef3c56a4aaab9034ebe25d9a2b5d3e9de4deb8877f60ea24 |
0 |
0 |
Suspicious LDAP-Attributes Used |
xknow @xknow_infosec |
Sigma Integrated Rule Set (GitHub) |
0730743577ad7cca001768987a40afda61d7838e179b9c8f1053e72a1459048a |
0 |
0 |
Suspicious LOLBIN AccCheckConsole |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bdd4b3cf901dc4fd7c4ee12323f20fd996bc0170c122f0566f5dbfbede875c23 |
0 |
0 |
Suspicious LSASS Access Via MalSecLogon |
Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
40c242ef2d6a78e1d98f62f539492057d9594d269a98bfe8b9d78c88a5985ba2 |
0 |
0 |
Suspicious Load of Advapi31.dll |
frack113 |
Sigma Integrated Rule Set (GitHub) |
fdde9ab8116dee77741eec010f384a7df489d11062e8ef7d46dce09ec51717b1 |
0 |
0 |
Suspicious Log Entries |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3b172a1d01b7c198d455c2a17e8ae127ce5f5dba1c75a0a99cc77599f4ca78f7 |
0 |
0 |
Suspicious MSExchangeMailboxReplication ASPX Write |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fa002b31be3f4e611034c69df7ee949cffa22117828400d70e69089801abc14c |
0 |
0 |
Suspicious Microsoft Office Child Process - MacOS |
Sohan G (D4rkCiph3r) |
Sigma Integrated Rule Set (GitHub) |
165e967934d0cec0e63b5cf8a289ee318662e0a8b8c576f6ec2f2dc27eafc226 |
0 |
0 |
Suspicious Multiple File Rename Or Delete Occurred |
Vasiliy Burov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
5cbe938f157b387106147682e156a8efa2d8aeb5efce0266d3c0081b69e12678 |
0 |
0 |
Suspicious NTLM Authentication on the Printer Spooler Service |
Elastic (idea), Tobias Michalski (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2c55f9d9f3f4dc25ec6908c17d18aa64d4262941cc6851d20150f4136be5453a |
0 |
0 |
Suspicious Named Error |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b8b5a8000383b99cb6f14f2e8f17d927da0e92e965c625faa3cabe1e72b84323 |
0 |
0 |
Suspicious Network Communication With IPFS |
Gavin Knapp |
Sigma Integrated Rule Set (GitHub) |
25602b7956b8b2129bbf5893bbfe5b6b6bc948e9d225b47b5d43055f48248b00 |
0 |
0 |
Suspicious Network Connection Binary No CommandLine |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
67ad04a82289f88e52e0bdb0655cbfe3c303b18ef877639dec59f3c485cfac92 |
0 |
0 |
Suspicious OAuth App File Download Activities |
Austin Songer @austinsonger |
Sigma Integrated Rule Set (GitHub) |
fa3f7119a0c19e9ddb6bf3defe5e0797888e23ec789c8f3357af53a5f70c3c94 |
0 |
0 |
Suspicious OpenSSH Daemon Error |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e0a89459a9f05d408d482b9640980fec9bab82d2dd11083d04356a4055021f78 |
0 |
0 |
Suspicious Path In Keyboard Layout IME File Registry Value |
X__Junior (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ddd88c5a8c5b057d7b598e894795cec07bb567c64355e88c93ebca56da327f06 |
0 |
0 |
Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ab9342dac5b3f049e5fea481d289344bd53a9f9404b8a7c4421870e296c426d7 |
0 |
0 |
Suspicious PowerShell Download |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
2db1db0eb3649cc130ae953a4803853a8ff8e44f3c4a06d42ed49eb3cabfb696 |
0 |
0 |
Suspicious PowerShell Download |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
9d6bbc732c370aae45fda2c0c962d9136afa87ecd165064208cb40aa877e4e5b |
0 |
0 |
Suspicious PowerShell Download |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
9e7977461c567e8bfbcdd316661d9ef710694b3de751c6ad76cf0dae3749c57b |
0 |
0 |
Suspicious PowerShell Download |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
ddc4948cb3433762084af70db4c7d85a2cd1e48ee6ae8dc152412a50dfbb42db |
0 |
0 |
Suspicious PowerShell Invocations - Generic |
Florian Roth (rule) |
Sigma Integrated Rule Set (GitHub) |
20f6c9f89613e81c3c83ed81ee4dd3f5793d5910ebc8fbc5330174a7a74ecb54 |
0 |
0 |
Suspicious PowerShell Invocations - Specific |
Florian Roth (rule), Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
5d6d29828f1f8db072b666bd85ae7074ac349c49205087a92da4084700e50657 |
0 |
0 |
Suspicious PowerShell Mailbox Export to Share |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bdf323dec5fa58a6655db6a0ae8ed9322f1fae8288502705c60e0b1f38761a06 |
0 |
0 |
Suspicious PowerShell Mailbox Export to Share - PS |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0861753c840036f498e3bd4029c5edd57ad0622e1bc413cf2d38df4ea3fb34bf |
0 |
0 |
Suspicious PrinterPorts Creation (CVE-2020-1048) |
EagleEye Team, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
9f4d9015afcdadf3e8a90bd3b8b01cae40397eca61dc45580339296224e1b40f |
0 |
0 |
Suspicious Process Creation |
Florian Roth, Daniil Yugoslavskiy, oscd.community (update) |
Sigma Integrated Rule Set (GitHub) |
b902e441638f8747df97dc2c59508d1d39ca9ab179b28132c51cee02b1d19152 |
0 |
0 |
Suspicious Process Start Without DLL |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
d473f1a87cdfa8e30ccefdd183b775109bfb012796c04ab06be794c4b74ba1eb |
0 |
0 |
Suspicious Provlaunch.EXE Child Process |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f866c0bee7cfae223e6c32f2033891c7f0c284e03b66f23b4fabd91f76e9e151 |
0 |
0 |
Suspicious PsExec Execution |
Samir Bousseaden |
Sigma Integrated Rule Set (GitHub) |
f04c595ca66281cfe11a9157fbeef36ddbee45cc4a5391471d010a08e4c14863 |
0 |
0 |
Suspicious PsExec Execution - Zeek |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
5c9d17e0b9843d06a6bdc67aa64f2d0c4823a01681a54c83d94c7e3c0bbe2c66 |
0 |
0 |
Suspicious PsExec Execution - Zeek |
Samir Bousseaden, @neu5ron, Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
eee9047f1507bcd02b641cb229c21f615af4fb70ba87dbff05842699503530b4 |
0 |
0 |
Suspicious RDP Redirect Using TSCON |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2d1baec06e45f7d7bbd540486a817a6738253b8960068c5aee89c3123cfa1ac0 |
0 |
0 |
Suspicious RazerInstaller Explorer Subprocess |
Florian Roth (Nextron Systems), Maxime Thiebaut |
Sigma Integrated Rule Set (GitHub) |
b656a8d4ce3cfd0545afa9a8754e22d2d051bd71f469b2d3d844ecf580dd0532 |
0 |
0 |
Suspicious Redirection to Local Admin Share |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a1efd51dbf79212db85a2c4038309389dd1fc357ab4ca2be2b60e1f5de85beff |
0 |
0 |
Suspicious Rejected SMB Guest Logon From IP |
Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w |
Sigma Integrated Rule Set (GitHub) |
f1f470f63c4d9b600bbc209212d3f1806b7b41154d14a15f0666241f96f786b1 |
0 |
0 |
Suspicious Remote AppX Package Locations |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
24496f972dab986c0b02095b9ab70f146ab35093bb1e1a1b5e6f53fa4fe709e9 |
0 |
0 |
Suspicious Remote Child Process From Outlook |
Markus Neis, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f9e5ca1d53357c6179a23ffe1ed388ebe305e69c24b43fd23804a567a490780a |
0 |
0 |
Suspicious Renamed Comsvcs DLL Loaded By Rundll32 |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bb742ff85b3c9a1b3dd1e6ca80f61086fe051299c7849fa28d012a7248e9e520 |
0 |
0 |
Suspicious RunAs-Like Flag Combination |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
90c1cc21debdada5d0fcc2afbc166820029a07eb4adad2d3d7b5b09d5dbc707c |
0 |
0 |
Suspicious Runscripthelper.exe |
Victor Sergeev, oscd.community |
Sigma Integrated Rule Set (GitHub) |
11391eae2fbdc6dde630d27416798a88f2a185e1dc68c55e40fe03a2a85412de |
0 |
0 |
Suspicious SQL Error Messages |
Bjoern Kimminich |
Sigma Integrated Rule Set (GitHub) |
25642d4ac27c9f3036a7124392a66d0dad8e15e7f323995c82b1b9460ae3ffb5 |
0 |
0 |
Suspicious SQL Query |
@juju4 |
Sigma Integrated Rule Set (GitHub) |
2a7aa4e41231e1b0524f3cd4bc3ea12bf92ecdfbb3ed80a6c4dc0c8ef42d373c |
0 |
0 |
Suspicious Scheduled Task Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bffcbf199caf6618ec0632e009bb69353f15a11388b2c130984c2be005d800f1 |
0 |
0 |
Suspicious Scheduled Task Update |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a0948d42b228f12aeaca91583a65ad12cd9578f9490a86b19194440cac3994ff |
0 |
0 |
Suspicious Serv-U Process Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7456e5b742cfbd4f35bce2536feed29bf8c22343e4f695fdd04fbf7070d41396 |
0 |
0 |
Suspicious Service DACL Modification Via Set-Service Cmdlet |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dc53bfcc618f20855734b363a199a1bb7088e9b6366330f2d73c89f4830e295f |
0 |
0 |
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fa87227c8ef55f355d187b7f0d44d69fecf0d7ee575cc3730fe757a38cec54dd |
0 |
0 |
Suspicious Service Installation |
pH-T (Nextron Systems), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
94a10fb40e2dcc9f743a6b7910ac8e6f494deea16b643f51403bab5086be6a7a |
0 |
0 |
Suspicious Service Installation Script |
pH-T (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a807d64a3f9a1aee435e9d3d51d46250e3ffea7c190dea627dac4051f51696cf |
0 |
0 |
Suspicious Shim Database Patching Activity |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
61ec0cc91754f7ca419e31b04481c92897b180e449f0c0a4ac571523ab898206 |
0 |
0 |
Suspicious SignIns From A Non Registered Device |
Harjot Singh, '@cyb3rjy0t' |
Sigma Integrated Rule Set (GitHub) |
47ca70cb2ec9b97ad474f95c84a9b656c09956b847a325c011cf20ad5474e28e |
0 |
0 |
Suspicious Svchost Process Access |
Tim Burrell |
Sigma Integrated Rule Set (GitHub) |
9fc70bf733b29bcd18e12529f975e24abdf01e3660221d791f76d57e02e2d527 |
0 |
0 |
Suspicious SysAidServer Child |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fa328d9830be6a424db03c3b9931c2bf4feebcf032f7c702ca62053448095f80 |
0 |
0 |
Suspicious Teams Application Related ObjectAcess Event |
@SerkinValery |
Sigma Integrated Rule Set (GitHub) |
4a0e44811d11e6f266ca4f87c93ec8a3d5520eae505dc05694f5b9473af509bc |
0 |
0 |
Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2edd9587fec3afbdba27c193e057a7b5b378162e4ddd1ad9b808602f5e20e70f |
0 |
0 |
Suspicious Usage of CVE_2021_34484 or CVE 2022_21919 |
Cybex |
Sigma Integrated Rule Set (GitHub) |
9937b6e6ae332de5e4a7d70d91b2c54d616c6c5a3491974b668d117ae637604e |
0 |
0 |
Suspicious Use of CSharp Interactive Console |
Michael R. (@nahamike01) |
Sigma Integrated Rule Set (GitHub) |
a4fc89bb3700fe0a55cf04c68919916827d349edffbb82042fcceed68a55944d |
0 |
0 |
Suspicious User Agent |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d91df9da12337a7f5ee75bb073c3410a058eb5ed6b7c86b148e725f9059f75a0 |
0 |
0 |
Suspicious User-Agents Related To Recon Tools |
Nasreddine Bencherchali (Nextron Systems), Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
a24e7b53f51338e062a4c0ad76154753129052ee12ebfb5fd0bf818d11ee8c25 |
0 |
0 |
Suspicious VBScript UN2452 Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7fb1daa4a8edb7a5b90b062c058870ef63fc97c3ef0e3208a4ebe707c2f77f8f |
0 |
0 |
Suspicious VBoxDrvInst.exe Parameters |
Konstantin Grishchenko, oscd.community |
Sigma Integrated Rule Set (GitHub) |
7f57d3ad9551dc7e9826a09268d6311674527871cd948f123fe51b8ad1b701aa |
0 |
0 |
Suspicious VSFTPD Error Messages |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bbc1da4633ad6413fded73095affb9717c6e165f62cd9aad1ecfef998aa8db78 |
0 |
0 |
Suspicious Vsls-Agent Command With AgentExtensionPath Load |
bohops |
Sigma Integrated Rule Set (GitHub) |
9f01dd8d09135ee4372c7cf259bdd238ef5beaff8d03b7a0aa8ef0d5fc0b659d |
0 |
0 |
Suspicious Werfault.exe Network Connection Outbound |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
16c36a9e42bc4413ac1329f5dd42431a817722b75cea05ac07ebb3f65876cb0f |
0 |
0 |
Suspicious Windows ANONYMOUS LOGON Local Account Created |
James Pemberton / @4A616D6573 |
Sigma Integrated Rule Set (GitHub) |
95f1c4af26ab73ade968853c4fcf97de23d5c6004b49db4a07a2616054591b05 |
0 |
0 |
Suspicious Windows Strings In URI |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cbdc0f6b8b52d66a08ba1df24758e02d8bcc7a727be78396c3c5e2a3c15820b4 |
0 |
0 |
Suspicious Word Cab File Write CVE-2021-40444 |
Florian Roth (Nextron Systems), Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
81b716bb22121eaedb941850fff6c213e7492ff4ee7564ae54606bc9dbb4fa57 |
0 |
0 |
Suspicious X509Enrollment - Process Creation |
frack113 |
Sigma Integrated Rule Set (GitHub) |
e37fe19aa7211312d16f86a97be31d1e7f036a49ca501a83feb84f3ba4d27ff9 |
0 |
0 |
Svchost DLL Search Order Hijack |
SBousseaden |
Sigma Integrated Rule Set (GitHub) |
db5441b38e2fcbf39fea3bb39c740232381bd1357c8ff96f6df1ce0020169259 |
0 |
0 |
SyncAppvPublishingServer Bypass Powershell Restriction - PS Module |
Ensar Şamil, @sblmsrsn, OSCD Community |
Sigma Integrated Rule Set (GitHub) |
da7ba86aeba5af6786083f79201143e96dfb9aaa6f81136cb9deeffbda13a236 |
0 |
0 |
SyncAppvPublishingServer Execute Arbitrary PowerShell Code |
frack113 |
Sigma Integrated Rule Set (GitHub) |
bd38197f39431ccbcd7225eae0595eed4788e30dee52b6db845bb259cc8a5490 |
0 |
0 |
SyncAppvPublishingServer Execution to Bypass Powershell Restriction |
Ensar Şamil, @sblmsrsn, OSCD Community |
Sigma Integrated Rule Set (GitHub) |
15b8bc2b4085ebae022c2b20c71b4ff925bb2def0f422752e477ef64090acbb5 |
0 |
0 |
SyncAppvPublishingServer Execution to Bypass Powershell Restriction |
Ensar Şamil, @sblmsrsn, OSCD Community |
Sigma Integrated Rule Set (GitHub) |
2f6c3876a6bf6c6982f41c7a31019b9025028a80428d75d0fbfadc485780f478 |
0 |
0 |
SyncAppvPublishingServer Execution to Bypass Powershell Restriction |
Ensar Şamil, @sblmsrsn, OSCD Community |
Sigma Integrated Rule Set (GitHub) |
3bc75ee6104b1d450b245ac94167ae14c204c835e99ff14f840649b7ec5cb561 |
0 |
0 |
SyncAppvPublishingServer Execution to Bypass Powershell Restriction |
Ensar Şamil, @sblmsrsn, OSCD Community |
Sigma Integrated Rule Set (GitHub) |
72c39d73d55d9033eaf48b2345a2731c21be042d5b6a492dd732ad728d06da24 |
0 |
0 |
SyncAppvPublishingServer Execution to Bypass Powershell Restriction |
Ensar Şamil, @sblmsrsn, OSCD Community |
Sigma Integrated Rule Set (GitHub) |
a8c3610f0218840679ca4d558856dbb0f5d711cabe7b939a9f283180553e2b77 |
0 |
0 |
SysKey Registry Keys Access |
Roberto Rodriguez @Cyb3rWard0g |
Sigma Integrated Rule Set (GitHub) |
00368348746af494ae4871162a2c3187af955e35e20fc2de34bda349b1883860 |
0 |
0 |
Sysinternals PsSuspend Suspicious Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
56654aed7c40de6b38d02ae11978a98d76f2045e2b715925563b9a79d8db0adb |
0 |
0 |
Sysinternals SDelete Registry Keys |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
d5a8c01fb27702ba8f9e0abb5ca03c7c11b6bbf635c3e08354c5106eb06c1c85 |
0 |
0 |
Sysinternals Tools AppX Versions Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e0c6dedbb0a3c9244c69da7aa0922b6c42fca7f8bef15f5e7e53692ce56655c2 |
0 |
0 |
Sysmon Application Crashed |
Tim Shelton |
Sigma Integrated Rule Set (GitHub) |
d6da4eb76c586437f5fff020dc4168d1abb0945c1365d46be05d23164d9276b3 |
0 |
0 |
Sysmon Blocked Executable |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1465e125dc6604c53527ef6c23b3e6c4380b78e46d327aaaadf658458d08abf6 |
0 |
0 |
Sysmon Blocked File Shredding |
frack113 |
Sigma Integrated Rule Set (GitHub) |
27f8ed179d16f640500bf0f00550e2f05fb62070a448a885fcd89d5453b7082c |
0 |
0 |
Sysmon Channel Reference Deletion |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
f9f553ae3b418546ce1d60bc5be320fb809f42d2184eea0be3ebe38529115176 |
0 |
0 |
Sysmon Configuration Modification |
frack113 |
Sigma Integrated Rule Set (GitHub) |
3bb0c88834d7140b8c654b55212f61356f2c8817acf24f1a8691d358280b0541 |
0 |
0 |
Sysmon Configuration Modification |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d46e95fee1af14f21e84edea54e4ff0adc9b091c82e403fd89cc53d93506d609 |
0 |
0 |
Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
d58a7bc786bd9e9a6ecc6de92ba386f2e8ff1b3b96a65d1cdaa66db5cd0b94d1 |
0 |
0 |
Sysmon Driver Altitude Change |
B.Talebi |
Sigma Integrated Rule Set (GitHub) |
4bcaa5dacb5e1eb968ca726b5580829575896d88af4c640f430427376c3fffe8 |
0 |
0 |
System Drawing DLL Load |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
0e577377d486c7998da21b8bf8adfad459d2ee2c932fddd9aa595b43b009916c |
0 |
0 |
System Information Discovery |
Ömer Günal, oscd.community |
Sigma Integrated Rule Set (GitHub) |
0e346973181b79cd813d4507ff8c38d8a584a417939557faa5fa7158cf2ba7d0 |
0 |
0 |
System Information Discovery |
Ömer Günal, oscd.community |
Sigma Integrated Rule Set (GitHub) |
3745b67648a34091bd1ecf4cfeeaba7bc12bfe1ffc83c8aea519f5888c1714ef |
0 |
0 |
System Information Discovery |
Ömer Günal, oscd.community |
Sigma Integrated Rule Set (GitHub) |
9920fd14e241024bdb1ef7da4f1d69e5ac14e3d81aa324f2395de1464b61d679 |
0 |
0 |
System Information Discovery |
Ömer Günal, oscd.community |
Sigma Integrated Rule Set (GitHub) |
de46e7313e69231a749082946337322d32ab9e628663e5d92b61586d9c24d47f |
0 |
0 |
System Information Discovery - Auditd |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
fb1fcb86cdb589a2d0fc7810aa7796360737fe3205f5d847d75ecf94876c080f |
0 |
0 |
System Integrity Protection (SIP) Disabled |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
42a9bc03d7633687377855c6d2b55e058f9f52c0a837dfe263e92b7563642df5 |
0 |
0 |
System Network Connections Discovery - MacOs |
Daniil Yugoslavskiy, oscd.community |
Sigma Integrated Rule Set (GitHub) |
036282b9889ec8d8a1cdaf902e26133c4af06ef02c074d48c4e063674b97b784 |
0 |
0 |
System Network Discovery - Linux |
Ömer Günal and remotephone, oscd.community |
Sigma Integrated Rule Set (GitHub) |
780133161bc77c6fd8e998a40218c5d992ba90b4ee08ea1e489f112b4f5739e6 |
0 |
0 |
System Network Discovery - macOS |
remotephone, oscd.community |
Sigma Integrated Rule Set (GitHub) |
90acea841b97b3b53a1119f22723d62839805d36487dbabf612a9b724c86798b |
0 |
0 |
System Owner or User Discovery |
Timur Zinniatullin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
db8f6a3c12b8841963a472baa0be9f352507e250365446a6638700e5e7035e32 |
0 |
0 |
System Shutdown/Reboot - Linux |
Igor Fits, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a915654969a7479839f83e157606f0d49d87567ec32f31c4b16352afecd90f27 |
0 |
0 |
System Shutdown/Reboot - MacOs |
Igor Fits, Mikhail Larin, oscd.community |
Sigma Integrated Rule Set (GitHub) |
96710ba7369fb8bd38beca2361ac7b7447c02e93a21426970ee43af5e1e039dc |
0 |
0 |
System and Hardware Information Discovery |
Ömer Günal, oscd.community |
Sigma Integrated Rule Set (GitHub) |
fa3e44c9641ee88a3df1944a742869e28a10d6f37c0aab69e06413014fd5c890 |
0 |
0 |
Systemd Service Creation |
Pawel Mazur |
Sigma Integrated Rule Set (GitHub) |
c98ca23ae236514eac31459384aea73b66542cfac7574615d51735ecffc1cf8c |
0 |
0 |
Systemd Service Reload or Start |
Jakob Weinzettl, oscd.community |
Sigma Integrated Rule Set (GitHub) |
2b9f58e2da3f441d888d64d4aca75b8c4f27198a10b76961e1a593881f018af3 |
0 |
0 |
T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack |
Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga |
Sigma Integrated Rule Set (GitHub) |
9140e60563fcdfeb01d8d885f102c4b30ed9435ca18d2a4d8df9db6020ba2d0a |
0 |
0 |
T1047 Wmiprvse Wbemcomn DLL Hijack |
Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) |
Sigma Integrated Rule Set (GitHub) |
1ed7550018ff4afc8c6f1d36eb7b0bbb2f831f5ac43cb0a16bbb96205616d858 |
0 |
0 |
TA410 LookBack and FlowCloud malware campaigns (Sysmon Behavior) |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
2d3ca95295f2fe12c6cbd5a13bb6f9b54f0f22d3a81dbc5b82c9bfbdae44f83b |
0 |
0 |
TA505 Dropper Load Pattern |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
e6b2d2b9d4348a8c3ab985832a818688f8ed2f19e9f03c58867656810da91ae4 |
0 |
0 |
TAIDOOR - Chinese RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
680dcdde1b8bfe90bf9acba2d0f5e4c1c8b437fe2e5aa5068855ccda40180966 |
0 |
0 |
TAIDOOR - Chinese RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
68bb411fd4bf6a1ffe552b343dac5d14f00ce686424e3b32e68ee2176ab8bce3 |
0 |
0 |
TAIDOOR - Chinese RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
97b2c02dfa95bb4aaaff73fc548ad854d0cdd79e40c67de409e716ba04f8b372 |
0 |
0 |
TAIDOOR - Chinese RAT |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
fd151743b69be65652e958a898253090e87a94daf21f008ffacbfef9d8aebcbf |
0 |
0 |
TAIDOOR RAT DLL Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e8a94b22f6db7e94eaf7903de94492f4bdd5b91eaa24377a94e7e51bfdb8e562 |
0 |
0 |
TAINTEDSCRIBE - North Korean Trojan (Hidden Cobra) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
fefa666b9dddab06dca15eb5c3a044757bbf7420794f459140fae014af5988af |
0 |
0 |
TacticalRMM Service Installation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7c58e61c36389fb1f7d55de04f9df5f177ce2ba401acccf1c20e0e0d1fb38e42 |
0 |
0 |
Tamper Windows Defender - PSClassic |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
207c25c9408a94a6ab4fd79571c6f71741248f188bf163b2ca9ea8531bdf439e |
0 |
0 |
Tamper Windows Defender Remove-MpPreference |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
15eece1ac1e6388267d739cc6d58ebc136e63e103f833c3e270a3c1cc9836ccb |
0 |
0 |
Tap Driver Installation |
Daniil Yugoslavskiy, Ian Davis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
20135d843bc80e241d98b14cfdd38a8e122b0a032b2edd8e2dc631c53b5632ca |
0 |
0 |
Tap Driver Installation |
Daniil Yugoslavskiy, Ian Davis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
358d68998add69c3d9057a82193ae58f278aa61103f23b98603b6f2d7e59cb22 |
0 |
0 |
Tap Driver Installation |
Daniil Yugoslavskiy, Ian Davis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
a23d7badd6ad7bc64986003d146002a8cd02c1adab85136c45c522d5ab23e706 |
0 |
0 |
Tap Driver Installation |
Daniil Yugoslavskiy, Ian Davis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
c1693fcd30d2082a9f64e5a158f8acfbdb23a2e5ef0cb5c125a34a46c29a60d1 |
0 |
0 |
Tap Driver Installation |
Daniil Yugoslavskiy, Ian Davis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
f64fba8ff6db3ee854baecf3e208e1be45b8dd29c23b509f62062e55ebe28bb9 |
0 |
0 |
Tap Driver Installation - Security |
Daniil Yugoslavskiy, Ian Davis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
e60d92b6ad7c18d80d842937fb0a3b1e49a9339611f31cf7f9fa688f0d1fc1fa |
0 |
0 |
TeamViewer Log File Deleted |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4d5c0f83a4373919c5837ae554218d0f9f5a99734abf344ba8aa116d3f489bc2 |
0 |
0 |
Telegram API Access |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8a8587aaa3d307de3f020fd9ddb543581dd561447576a463e570558a6e78a023 |
0 |
0 |
Temporary Access Pass Added To An Account |
Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' |
Sigma Integrated Rule Set (GitHub) |
d6733a3836dcabc53efcf939702d6cf9d5746b605d08ce482e10ac6fe3d6aced |
0 |
0 |
Terdot Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
758c4cbf66a128098c5bfb6abc15633535d24cb73c1c583c8b2e6453a93c6f80 |
0 |
0 |
Terdot Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a05609887fbb50f52f95231dae41088de78c48b2f3559cbe4761af7069777c41 |
0 |
0 |
Terdot Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a2ea1f893fa8bd005f73e676e141c7eae499af9763fd62fa393223d6fe14326f |
0 |
0 |
Terminal Server Client Connection History Cleared - Registry |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f864355e26341358045facaf6f66106b0bf475ff0cd2a56ea6c2157735727c35 |
0 |
0 |
Terminal Service Process Spawn |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0232a28f98329276f53deac4ffd7ee149f868c8def851948c4af8e750be1b910 |
0 |
0 |
TerraMaster TOS CVE-2020-28188 |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
69295716b447993c5584f18e294250daf69aa8bc979708f88313e47ca01e6793 |
0 |
0 |
The Windows Defender Firewall Service Failed To Load Group Policy |
frack113 |
Sigma Integrated Rule Set (GitHub) |
78c22cecdf2e9d4133343a231de9f0ba4be34d2e25ebe1904297c15796a21929 |
0 |
0 |
Time Travel Debugging Utility Usage |
Ensar Şamil, @sblmsrsn, @oscd_initiative |
Sigma Integrated Rule Set (GitHub) |
41bae2ae89409b6a1ff355df6e25112c56884876b18f7a5ca827d634fc1847f4 |
0 |
0 |
Time Travel Debugging Utility Usage |
Ensar Şamil, @sblmsrsn, @oscd_initiative |
Sigma Integrated Rule Set (GitHub) |
ac619a6a73b5c0668aeb218c1580100bf9e6f7791822b92360cb51fb09394ccd |
0 |
0 |
Time Travel Debugging Utility Usage |
Ensar Şamil, @sblmsrsn, @oscd_initiative |
Sigma Integrated Rule Set (GitHub) |
c5cd42b219e3389810b80d30f0df29501f964191e806ce3ad063b9cf5c621fb4 |
0 |
0 |
Tinba Banking Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
af02ff0def6aec347fa7d49ff18febb8c477a257f2e7dc8ca67d0cdbe9dddb0a |
0 |
0 |
Tirbot Trojan (Sysmon detection) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
985b4d1a9a38675b5a512221d45a61dfdf349da41c92df19ae3776b712fe20e0 |
0 |
0 |
Tomcat WebServer Logs Deleted |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6b492c838f7475476622510916ddd410c03f7533bee9c8754fc3d58876763f4b |
0 |
0 |
Too Many Global Admins |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
8c281570aa4889433c1dba5a061d2b726e9a7cc1cd7a755920492caa3445142d |
0 |
0 |
Transferring Files with Credential Data via Network Shares |
Teymur Kheirkhabarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b901cdb66cb3627f3cf9d508421eb3e34409337ecfea0476c0896c63c71dbd74 |
0 |
0 |
Transferring Files with Credential Data via Network Shares - Zeek |
@neu5ron, Teymur Kheirkhabarov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
c32a3e7518848a21d37b9b5d6a00e756e5ce36f0ba6f2b79a1304a7fa9f1369d |
0 |
0 |
Trickbot Malware Recon Activity |
David Burkett, Florian Roth |
Sigma Integrated Rule Set (GitHub) |
7cf68fc17a7548176432b7778814a6be12c78c6b34b7a55b4b5d457302f2c07a |
0 |
0 |
Triple Cross eBPF Rootkit Default LockFile |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
667bf30fabdb96e0478fb27252c4518b8fb42113dfd0199bb412bd5ded033ab7 |
0 |
0 |
Triple Cross eBPF Rootkit Default Persistence |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
991266c345f7903602d083e0230f82b591211a09e8cad64809a9c3a8131c61f3 |
0 |
0 |
Triple Cross eBPF Rootkit Execve Hijack |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
23fe8de813dfa4aa4cf175107cc3a9de090fd8f04b8bdbf910d6f091d5a431ce |
0 |
0 |
Triple Cross eBPF Rootkit Install Commands |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fe1e5e93f3a2393f66f3e0e1e356624a6bd384c3af2b4e867d9687218febb660 |
0 |
0 |
TropicTrooper Campaign November 2018 |
@41thexplorer, Microsoft Defender ATP |
Sigma Integrated Rule Set (GitHub) |
2490e3004ac94fbdd6f3d694aa2c24ec00b0193bcac04aad389d62a43350ce61 |
0 |
0 |
Troubleshooting Pack Cmdlet Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0bebecc11486eecfc3a6380a6ab35579f5d0110c8afd83429be88564f7b10ba4 |
0 |
0 |
Turla Group Commands May 2020 |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
13b646717610af0f26e60da5f245b187d697983865f41f8426677226a1dd67e9 |
0 |
0 |
Turla Group Lateral Movement |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
4ac69336261d41d0d7c5dabb3bbf3be9deae948f76c2139e4061f519c6fb043f |
0 |
0 |
Turla Group Lateral Movement |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
4ad16e7f0f86e364c4e7a74f240c76737de2845d3ff13e38a2c4437cfea2af8b |
0 |
0 |
Turla Group Lateral Movement |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
a84f3c195555e22fcc4045469fd306dbb60cf28e91ae7b9325eb49aeda608af7 |
0 |
0 |
Turla Group Lateral Movement |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
baa2e26b5f61d81ea9128226f369bdc536ba0a183e703eaafc23228dffbd64bc |
0 |
0 |
Turla Group Lateral Movement |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
dca19d018ba977a72de3571dc1f68228d2444d8b447b50e25b07422b5b014d9c |
0 |
0 |
Turla Group Named Pipes |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
5c1a908c4195fe1b85776a2a1c86cef843d6c40a00070ca9c5ab3043dc19a164 |
0 |
0 |
Turla PNG Dropper Service |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2181500508cba32078d248a61c926bf73a4bb6ebc4bececfd9d4ac607b57151d |
0 |
0 |
Turla Service Install |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8d5d550c1852a70e22df794241027e8fda50a74f9c87728f63752437404f20a8 |
0 |
0 |
UAC Bypass Abusing Winsat Path Parsing - File |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
bb336c05f65b92ba4f8c077675fd297597dc9e6a58d623eb2a05ba80991cf674 |
0 |
0 |
UAC Bypass Abusing Winsat Path Parsing - Process |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3336002627a5fff9960ca0a12f53f9173bf13d359096c010f818ad83f0bd3d60 |
0 |
0 |
UAC Bypass Abusing Winsat Path Parsing - Registry |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
27a9b69a6e2addb8fe0735e96f0d27ace4b79d17eefd764ce3f0288f74cb21c1 |
0 |
0 |
UAC Bypass Using .NET Code Profiler on MMC |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e72fb1b5f98a1609a868416ee85fb716eb8e4705f84b33fd471cf747357dea7c |
0 |
0 |
UAC Bypass Using Consent and Comctl32 - File |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0bc48db9b102772d4daac62f85032a7501fed1102a95f95e8414a0dd3e51732c |
0 |
0 |
UAC Bypass Using Disk Cleanup |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
639d8d816b374bf0b59c239c80f872bc5c00756e4888cc7934f8a33386306d57 |
0 |
0 |
UAC Bypass Using DismHost |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
84ae6514a422f3ac64733fe09e8c77e483ddc11d6eec7b8b1f5bf41dade82970 |
0 |
0 |
UAC Bypass Using Event Viewer RecentViews |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3ad7648de4bdd4a9308e13e8fd3d5b06683f34acaaf1c19bdc02e51da6a78a2b |
0 |
0 |
UAC Bypass Using EventVwr |
Antonio Cocomazzi (idea), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8b0b79836bed93fb4599afe6b48c8fe841a6fe946be47e7b9a7897b9d385569c |
0 |
0 |
UAC Bypass Using IDiagnostic Profile |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2342c5abe846c316971ff297a5031a5b709b6fa1fa950039e2af8ed232147eb7 |
0 |
0 |
UAC Bypass Using IEInstal - File |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
00df1f50def5c07da9bb57ea8313bde4905aeeff9ebf1b2b923600351791bd23 |
0 |
0 |
UAC Bypass Using IEInstal - Process |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
36c54ff9b60bfb04067bb4fc3cb55f0efba4285c46c56123f298c17f0ff6aeb1 |
0 |
0 |
UAC Bypass Using Iscsicpl - ImageLoad |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
52d8603311fc452b325fffcf27b4e2b1cb851c94b1eff796c0f25cf109a5aaac |
0 |
0 |
UAC Bypass Using MSConfig Token Modification - File |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1d94cdf7ebb62637f664d4e56943049dfd2e84e3a534202d08775a957375ee59 |
0 |
0 |
UAC Bypass Using MSConfig Token Modification - Process |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
fed3f4e9a7b7505b5d9cf3fa38366c77ae1afaf2a73f5ec6e4e82353cb87e312 |
0 |
0 |
UAC Bypass Using NTFS Reparse Point - File |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b61e713566d145c79ce59678aadb8a675e19a1177e0477c9916dae6960d75e1e |
0 |
0 |
UAC Bypass Using NTFS Reparse Point - Process |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b04ae33635c5e4e7fe2dc9592b339835bcf2233b6e640991cf271389ea49fb2d |
0 |
0 |
UAC Bypass Using WOW64 Logger DLL Hijack |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
136d5312f0c32e4f8a7ed5923499a1fb0d03c457a9b9ff2e66d2d833900dd856 |
0 |
0 |
UAC Bypass Using Windows Media Player - File |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
dea23a2bff0dfc0ed3530c94cc3fa73835c8ee53d7dc7b6426775799cb4c719e |
0 |
0 |
UAC Bypass Using Windows Media Player - Process |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ddadf6d9fd6af912e7f512980649fd8c1628beae5483c5f009920946687a91c0 |
0 |
0 |
UAC Bypass Using Windows Media Player - Registry |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
06a48f1443d5688a49e7b4d5436e507df7fcfeb8780da328f16235c4c06d927f |
0 |
0 |
UAC Bypass Via Wsreset |
oscd.community, Dmitry Uchakin |
Sigma Integrated Rule Set (GitHub) |
46af1a978d9d6da64e0730a4b0d6dfeb8cab34fe21a2fdc0d3b8e0a428e12c21 |
0 |
0 |
UAC Bypass via Event Viewer |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
1d6ad51b3643427cc3820debc181e8c8a71afff1bee8642632fd392fde905cf6 |
0 |
0 |
UAC Bypass via Event Viewer |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
3a5e9509b313781bf9324f49cac4a71e1e5e822abacd7f2707c6d32f8920aea1 |
0 |
0 |
UAC Bypass via Event Viewer |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
4134cd9d74207db899c24fb73563c311684932a317e61fe905fdc29a75f69109 |
0 |
0 |
UEFI Persistence Via Wpbbin - FileCreation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f0dfed59c7940c5f4bdd864552c6aac4d66f3411265e923638850c0fe778cb68 |
0 |
0 |
UEFI Persistence Via Wpbbin - ProcessCreation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f6f13948084188f429a00590eca0f80bbbe186a8b7b37042a6f6035cef1a1dee |
0 |
0 |
UMWorkerProcess Creating Unusual Child Process CVE-2021-26857 (via cmdline) |
SOC Prime Team, Microsoft |
SOC Prime Threat Detection Marketplace |
282370a5b2c99cb2055e32a9c50853be0a162c16914c919ee60730f93e7a1902 |
0 |
0 |
UNC2452 PowerShell Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f91a07dae0817dd517cae4782092e392760c32e680fb4b40f69789c8ea2642c7 |
0 |
0 |
UNC4841 - Download Compressed Files From Temp.sh Using Wget |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
3f390ea9888bd7f07ccecbb0fb601ea24948f868623b6c3393db5f296049fee1 |
0 |
0 |
UNC4841 - Download Tar File From Untrusted Direct IP Via Wget |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a254bf29c3065c56ea42502ff1804f062fa3bf1acecff169ebb7966e5aec59d3 |
0 |
0 |
UNC4841 - Email Exfiltration File Pattern |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
92aa9f0124f7f929188d737b6d345047c95ed5bc6bad87c21559dbe238d0c647 |
0 |
0 |
UNC4841 - Potential SEASPY Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
69ce56c47b0a7e3d28c61a709ca279a5369afc3e6a76ae7f74576338ac4cecc8 |
0 |
0 |
UNC4841 - SSL Certificate Exfiltration Via Openssl |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
1ebc4c174f6064efb43de3a4aaa0ba3acc68bb85642c21032ed5f7a4ac8167af |
0 |
0 |
USB Device Plugged |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f231038326d2da7583778551de319d33b9b9529e55671b62cbdd58a4a4697507 |
0 |
0 |
UnReCom RAT (Possible New Adwind variant) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
0b787243bca178008ec0c81d915960fab3bbfdc78bc0b77ad770128d2f342b3c |
0 |
0 |
UnReCom RAT (Possible New Adwind variant) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
4d7d569ef6ec13af576994a62b027bbec44b85374393abedc5f477ee650e0455 |
0 |
0 |
UnReCom RAT (Possible New Adwind variant) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
5dee39e59001813316f98d63213edd768463d33a54507273b7feb22753fb9a32 |
0 |
0 |
Unauthenticated file read in Cisco ASA & Cisco Firepower CVE-2020-3452 (via web) |
Roman Ranskyi |
SOC Prime Threat Detection Marketplace |
0cfd9195be7ced6620371c11ca6323fee3c0b5d0b9ea805f017a841110683b91 |
0 |
0 |
Unauthenticated file read in Cisco ASA & Cisco Firepower CVE-2020-3452 (via web) |
Roman Ranskyi |
SOC Prime Threat Detection Marketplace |
789fc5bb01e3f3b18df9537ead68abfcaacecbf0a526ab8207c7e6f198d8a5e3 |
0 |
0 |
Uncommon Assistive Technology Applications Execution Via AtBroker.EXE |
Mateusz Wydra, oscd.community |
Sigma Integrated Rule Set (GitHub) |
842f615741b9cfb621f4ae3f95d42e256251fe082e0f4c533c1633ffcc70adb8 |
0 |
0 |
Uncommon AppX Package Locations |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7c13d7196b7cf3506165b5b41f4822271ab412cb6a4c27b9036aea5590da8241 |
0 |
0 |
Uncommon Child Process Of Appvlp.EXE |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
e95a64931dc936ea0b79a4d48a5cf5f247dc55a78f0cb754480de9f58dcd9ce2 |
0 |
0 |
Uncommon External Facing Application Service |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
1c5a833abe2b826a6d444da72f62ea23742c5770ece407730a66ef8300dbdcfd |
0 |
0 |
Uncommon GrantedAccess Flags On LSASS |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
8cae91f5123a6836e62fa8710765cfb6bc14fe646f30df2ac61ee942a629fa28 |
0 |
0 |
Uncommon Outbound Kerberos Connection - Security |
Ilyas Ochkov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
55516cecb3b5273d1166f185e3e1bcd239eaaa5df10cea2fb888c3f4d4e4dbdf |
0 |
0 |
Uncommon Service Installation Image Path |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
395cbe985c82a45145fc0889813f6c49aa0c6106eb0c796f51548505a7e839f0 |
0 |
0 |
Unfamiliar Sign-In Properties |
Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' |
Sigma Integrated Rule Set (GitHub) |
0960a31d612ce9c4db0df6ef113ad74f21307572eba4bc99320a92dee732cf87 |
0 |
0 |
Unidentified Attacker November 2018 |
@41thexplorer, Microsoft Defender ATP |
Sigma Integrated Rule Set (GitHub) |
b08d52ecad9f030d424d9663403423559c1951018ae4cafc8f10b0ef2ad0f77f |
0 |
0 |
Unidentified Attacker November 2018 |
@41thexplorer, Microsoft Defender ATP |
Sigma Integrated Rule Set (GitHub) |
b5002bc251d42658f759ab88719976f8698c099d4450bc798cdbf9e219cfab1e |
0 |
0 |
Unidentified Attacker November 2018 |
@41thexplorer, Microsoft Defender ATP |
Sigma Integrated Rule Set (GitHub) |
c02ac5aedb6c89eac4725d7a30df43b4631994b8ad7cee3473099d0926df9a80 |
0 |
0 |
Uninstall Crowdstrike Falcon Sensor |
frack113 |
Sigma Integrated Rule Set (GitHub) |
7319e259606b1d76ca31570f4a8256ad40f0297486f907c00ae96d5721d87794 |
0 |
0 |
Uninstall MRT(Malicious Software Removal Tool) |
Joe Security |
Joe Security Rule Set (GitHub) |
65e79d3af45ae35c43129d364f5298d673522c7fcb9fe33b3cd10eb832021e80 |
0 |
0 |
Unix Shell Configuration Modification |
Peter Matkovski, IAI |
Sigma Integrated Rule Set (GitHub) |
68a01966efd88c63ae041676509e0ef8575e52fc5281a857c9e53e50618990cb |
0 |
0 |
Unknown Exchange 0day Relevant Crash Event (via application) |
SOC Prime Team, Microsoft |
SOC Prime Threat Detection Marketplace |
df18dcdc7e0de08d0a24ac99b5e39af9106c4594de1e213961a00f36bb1fb7cf |
0 |
0 |
Unsigned AppX Installation Attempt Using Add-AppxPackage |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
2f3b1d2c658dbc9834a1f03a745bde48a6246581c4743ab5a367fa110a573901 |
0 |
0 |
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4904cdf688011b439421df3982ef9579c40ff41600b136fa566c3ee3620bc150 |
0 |
0 |
Unsigned Binary Loaded From Suspicious Location |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
52df065ad27fb68c7a9748269ee6807a740bbad58d84cb0e10e634e4d5db3498 |
0 |
0 |
Unsigned Mfdetours.DLL Sideloading |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9d4a210e1fce413ac152a47099ba449b69b9a81e4e6dc7e5e09035ba0b2d975d |
0 |
0 |
Unusual File Deletion by Dns.exe |
Tim Rauch (Nextron Systems), Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
e7ac89a7400fc9dd0df100c1d669a7f242999251c2c8b0c0fce3b2b6de6a9030 |
0 |
0 |
Unusual File Modification by dns.exe |
Tim Rauch (Nextron Systems), Elastic (idea) |
Sigma Integrated Rule Set (GitHub) |
7e9cf1866902c13af537edaf7d179eb6d986caec99ff16486322a34b8d8f9ace |
0 |
0 |
Ursa Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
474d9106c04c0567868d564b0f9fd47bc5094b1d0930bbc47d60fbd690f9fc68 |
0 |
0 |
Ursa Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
8aa514ad684698cba9daddea167e737b38eac3917d5a8c44b11684e4fe0819f3 |
0 |
0 |
Ursa Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
d16ef015b59d30d0df3ba7fbe07aa8edeac37ec141c0ee5852c1a88ce602094a |
0 |
0 |
Ursnif Malware C2 URL Pattern |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
d983b04ec090162c842c62845c96abbce6bba8d1a7611826053d7ba25fd8918c |
0 |
0 |
Ursnif Malware Download URL Pattern |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
f320e891edef939c4d89f2e964476f57bf9d8a92415164cce650183f1820be10 |
0 |
0 |
Usage of Sysinternals Tools |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
6caf06038ef037f3ac3da62377560d3544dd6d6b89ac3959ecb666489940b9aa |
0 |
0 |
Usage of Sysinternals Tools |
Markus Neis |
Sigma Integrated Rule Set (GitHub) |
c2020adce966e19fbcd161d9dfee7f79c0db26018d089ec95e78e41a583fe0bd |
0 |
0 |
Usage of renamed binaries(wmic, regsvr32) |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
c21c41fa3a1749d217cfe78b997b24c415176f9c5f587ddb417fb4893325d908 |
0 |
0 |
Use Of Hidden Paths Or Files |
David Burkett, @signalblur |
Sigma Integrated Rule Set (GitHub) |
8d1354dc5493d0fb6e4a095171c3149c23d30ebf94615e365c929586e3377935 |
0 |
0 |
Use Of The SFTP.EXE Binary As A LOLBIN |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a069144dec00288090d91cc6d2819598d766dbacfe7fea3d99db45e584e16311 |
0 |
0 |
Use of Debugfs to Access a Raw Disk |
Janantha Marasinghe |
Sigma Integrated Rule Set (GitHub) |
e44003037576d0f894fcce984d49fa4553f8ef93a8dc2361877e5525daa348b4 |
0 |
0 |
Use of Legacy Authentication Protocols |
Yochana Henderson, '@Yochana-H' |
Sigma Integrated Rule Set (GitHub) |
eaecf1b821f4ae8e60abcee93d4f47189877d34662aa751d0e0afdacb09b42ea |
0 |
0 |
Use of Setres.exe |
@gott_cyber |
Sigma Integrated Rule Set (GitHub) |
e5133d8b08b3ee12d49e47c6fca47525621545251170b598430b7a5af2a40efb |
0 |
0 |
Use of VSIISExeLauncher.exe |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ee623073c7ba0607d0ffcaebe48189e0103fce07699171a128d3e9ec423a7134 |
0 |
0 |
User Access Blocked by Azure Conditional Access |
AlertIQ |
Sigma Integrated Rule Set (GitHub) |
c40f9bf14b74802e89f6f64d76fd9c7700fe103474cfc637cd33d1fef4c7f287 |
0 |
0 |
User Account Hidden By Registry |
frack113 |
Sigma Integrated Rule Set (GitHub) |
56111de5ed278e91db489f073c3588c47751272535dbf96b5a22adb9240b42e8 |
0 |
0 |
User Added To Admin Group - MacOS |
Sohan G (D4rkCiph3r) |
Sigma Integrated Rule Set (GitHub) |
a97494c6bb936418effa72b32b625cff9ae077fcba3a5a7a92073d8849d6e6ae |
0 |
0 |
User Added To Admin Group Via DseditGroup |
Sohan G (D4rkCiph3r) |
Sigma Integrated Rule Set (GitHub) |
a1fbaefb97a0af3898c29634542046ded26e95d110f1731d23619edead26f3a1 |
0 |
0 |
User Added To Admin Group Via Sysadminctl |
Sohan G (D4rkCiph3r) |
Sigma Integrated Rule Set (GitHub) |
b3d38a4e1528c7a534bd34bbe4cddf52ebafe46cd78ff9330e7e94d8def3fa9d |
0 |
0 |
User Added To Group With CA Policy Modification Access |
Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' |
Sigma Integrated Rule Set (GitHub) |
4e4068f62d77c9cf12c62b34935a2bcc0f5455e70b73aa899a1d2312996bddd4 |
0 |
0 |
User Added To Highly Privileged Group |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ed42d985ebe7582bc165828affdaf85ed669feb34b818906d5c4ea80a6aa8cd7 |
0 |
0 |
User Added To Privilege Role |
Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' |
Sigma Integrated Rule Set (GitHub) |
6ae533b0f16db4db3f61df052244c932bd1596e0f099c69e4f749eb31f66b644 |
0 |
0 |
User Added To Root/Sudoers Group Using Usermod |
TuanLe (GTSC) |
Sigma Integrated Rule Set (GitHub) |
6b2fe5864b124ca13d2798f2909f4aec0bcf7b4cc4031cb92659113cf926b349 |
0 |
0 |
User Added to an Administrator's Azure AD Role |
Raphaël CALVET, @MetallicHack |
Sigma Integrated Rule Set (GitHub) |
339c344d69b808b4c773cb492f914a59b8d3d67cc415f392ef0202cbe4837d7c |
0 |
0 |
User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' |
Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community |
Sigma Integrated Rule Set (GitHub) |
11a18935f3a8e1e4c4cc09e59d69155a1777e2762605adcc495c58cc96abce1d |
0 |
0 |
User Logoff Event |
frack113 |
Sigma Integrated Rule Set (GitHub) |
dc41474393f8b1bb12ed77d073f3c9caeae29a2c52bed4e38b0eeb7dc096717e |
0 |
0 |
User Removed From Group With CA Policy Modification Access |
Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner' |
Sigma Integrated Rule Set (GitHub) |
56ff8902a91c340fba7751e6f001b6df01f61c5c7016cf767671d01e5e8b83ad |
0 |
0 |
User State Changed From Guest To Member |
MikeDuddington, '@dudders1' |
Sigma Integrated Rule Set (GitHub) |
c8265ffa5537846bcb318002b32fe0203851fa7fb6902d8a370d0167897ae0cc |
0 |
0 |
Users Added to Global or Device Admin Roles |
Michael Epping, '@mepples21' |
Sigma Integrated Rule Set (GitHub) |
28901a8164592dc9ae0a711e39a5fd87681db7a1fa8153e1d92469bf99f67c7d |
0 |
0 |
Users Authenticating To Other Azure AD Tenants |
MikeDuddington, '@dudders1' |
Sigma Integrated Rule Set (GitHub) |
3a5dc528ef393315b09dc27af65a0e34e86e4841166fe15c4bc23a53b6a20d98 |
0 |
0 |
Using SettingSyncHost.exe as LOLBin |
Anton Kutepov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
90604343649b0a434f2aaf1ac225f1535b3d2b0766ba92bc80cfaed426f07695 |
0 |
0 |
Utilization of "expand.exe" to deploy files from "Temp" folders |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
ade628a427870c8c3442dd7aac9c2d401c3e96ef82d4b92d8128cdeeff3062e9 |
0 |
0 |
VMGuestLib DLL Sideload |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7728a2cbbd2433e4ba58ba22b327fbed7ba0e274a6c13f6ed6132ecfd33a32a9 |
0 |
0 |
VMMap Signed Dbghelp.DLL Potential Sideloading |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
784c07c8b34e1168e32c433106c9d95f4198a8fcff9f406cf56f34d9830b042f |
0 |
0 |
VMMap Unsigned Dbghelp.DLL Potential Sideloading |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
082557e778780e1b1845d3e703e5cbe8d3ea60e302c98c78d2127999c277c97b |
0 |
0 |
VMware vCenter Server File Upload CVE-2021-22005 |
Sittikorn S |
Sigma Integrated Rule Set (GitHub) |
307fdbfc019c602d9b897165bdfdff09e71bae733f6e0a8b5305ca81f5f7cc6d |
0 |
0 |
VSSAudit Security Event Source Registration |
Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) |
Sigma Integrated Rule Set (GitHub) |
82ec398800a85ecb732c915486c59e1a4abe901700e658ccab6308f47245e33e |
0 |
0 |
Valak Behavior (Sysmon and Cmdline) |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
bd88e7274c701ecb8921074eb102f73f8f0d4a5ac0708ddae5a1e369ef71569b |
0 |
0 |
Valid Users Failing to Authenticate From Single Source Using Kerberos |
Mauricio Velazco, frack113 |
Sigma Integrated Rule Set (GitHub) |
a3ae92169de3a473b385950d6a3e85b2a991c8be31e68ccb84577f16515c3407 |
0 |
0 |
Valid Users Failing to Authenticate from Single Source Using NTLM |
Mauricio Velazco |
Sigma Integrated Rule Set (GitHub) |
05e5abf2c5d151e82602b134f795f3449e651ab33f591a2f4a98aab8d54031f9 |
0 |
0 |
Veeam Backup Database Suspicious Query |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
02ab4d1d7b20c1483401a052db453d31a1279e4d07c97cb0a63e9cbceb23ea88 |
0 |
0 |
Veeam Backup Servers Credential Dumping Script Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
0de9c38d23396595d72b0260301946f4862519515b73a02737377c862f888baf |
0 |
0 |
VeeamBackup Database Credentials Dump Via Sqlcmd.EXE |
frack113 |
Sigma Integrated Rule Set (GitHub) |
912e511ef1e7ba499a5cf1552134869bb633ba21adbdddb20785e6c3ab04e761 |
0 |
0 |
Vim GTFOBin Abuse - Linux |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
ac5bf066ac84953fc0ec69419bf2f8a7bb3c62256fadaab219b67a8216a86e1f |
0 |
0 |
Visual Studio Code Tunnel Execution |
Nasreddine Bencherchali (Nextron Systems), citron_ninja |
Sigma Integrated Rule Set (GitHub) |
ce3375fde5baee5b30869d7fef57755699d5c5746797e9d5b8d340907990028e |
0 |
0 |
Visual Studio Code Tunnel Remote File Creation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
15ad665f8c076c09c7570e6bce8bd1427c79e667c7e54616f90dba4d158307b9 |
0 |
0 |
Visual Studio Code Tunnel Service Installation |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
9d0f8238a591d140a723c8baf568593a91dc87ef9b219027376c8e8b2a1fa263 |
0 |
0 |
Visual Studio Code Tunnel Shell Execution |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
f76cc179eda8c933fe2ad43b2cf8f43a9222bce56c8bbbae0963b3e56b50b82d |
0 |
0 |
Visual Studio NodejsTools PressAnyKey Renamed Execution |
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
6b0a480dce7ab2e7b5ab4d19e862a01b3cf23bd196963972c2303c12f9abd4bc |
0 |
0 |
Vjworm Trojan |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a274e14c306334155818a08604184fc950850cf7facfe0df879c1608fda2cc4e |
0 |
0 |
Volume Shadow Copy Mount |
Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) |
Sigma Integrated Rule Set (GitHub) |
632fbc79a450be1208f0c3c1246793ff703d551fb7163488db4d1de2b2483d5a |
0 |
0 |
Vulnerable HW Driver Load |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
b919d89a4b8aa0f73640c2c74767522029958fe0b18e389d11faa0049b5c7fe1 |
0 |
0 |
Vulnerable HackSys Extreme Vulnerable Driver Load |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c3238787747f1f397da43842b3f4cc790fe5310869f27bc4de73114f876bf1c5 |
0 |
0 |
Vulnerable Netlogon Secure Channel Connection Allowed |
NVISO |
Sigma Integrated Rule Set (GitHub) |
3f84718f22c39831d8b99ef0dc98874d6e50b02602ada051c9eafb98360fc647 |
0 |
0 |
WCE wceaux.dll Access |
Thomas Patzke |
Sigma Integrated Rule Set (GitHub) |
183cf5523bdd58d20e93e3b2bb367c38caec4fe344a0aea45722954e9fe9ed9f |
0 |
0 |
WMI Event Consumer Created Named Pipe |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
01446bc086a25ac157aacfacf8ca447f2f195cd8dd67c3a8cb6a881dc5ac53be |
0 |
0 |
WMI Persistence |
Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community |
Sigma Integrated Rule Set (GitHub) |
58154fd247cd9b589c6903a15ffa196e0e50cca640eeadc0ca86c289dbeae3bf |
0 |
0 |
WMI Persistence |
Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community |
Sigma Integrated Rule Set (GitHub) |
85bc7739560701dd55a0c7eab1ee7b00c0ddea32b913c6e0b6798b889419591b |
0 |
0 |
WMI Persistence |
Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community |
Sigma Integrated Rule Set (GitHub) |
aa847a1640b2ae82a6149c6f0b44f8ec7170516b4502113a92de7898285ff89b |
0 |
0 |
WMI Persistence |
Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community |
Sigma Integrated Rule Set (GitHub) |
f674f8881516524de991b8439ddd2248fd25bacea659a067680337c89b7a6c5b |
0 |
0 |
WMI Persistence - Security |
Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community |
Sigma Integrated Rule Set (GitHub) |
a9246010da9b679de378be05b2d90c9171220c5fd5b0545883bdad8a49e9811c |
0 |
0 |
WMI Reconnaissance List Remote Services |
frack113 |
Sigma Integrated Rule Set (GitHub) |
122d74917c1ba5d7e854a6a25e2ce8bd997bfe1398c7b5ddaaecb88edf02edd8 |
0 |
0 |
WSH RAT behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
0d8ca71c713cdf5f939ca8eea9288f6c9c665f224016b4672972ff569c13bb16 |
0 |
0 |
WSH RAT behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
9fb650b5e787c7d815eefa0591bfb991ad5773d231d11d1acc58ac460648e903 |
0 |
0 |
WSH RAT behavior |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c542efb138f0e8fde0df28089aa73fd35cd12a439000e607e4e10b10ecb3f743 |
0 |
0 |
WScript Launched By Powershell |
Joe Security |
Joe Security Rule Set (GitHub) |
dd10c5eb1b4cfd51330d892c57a9cfe7ce41ac02ee121c141435ea97a71bb073 |
0 |
0 |
Wannacry Killswitch Domain |
Mike Wade |
Sigma Integrated Rule Set (GitHub) |
1835f85f70bcf5e9613228e05d8ab33dae73c11d41a4e5876ceb6f2002b31167 |
0 |
0 |
Wdigest CredGuard Registry Modification |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
6b2853b0e68d3b3c786df7c3960aa8764840caaee74ca35f04ee828c6df43a68 |
0 |
0 |
Weak Encryption Enabled and Kerberoast |
@neu5ron |
Sigma Integrated Rule Set (GitHub) |
2be706f3f2686605d5ee19c899ca7bdb688e826ad3b82c1c873627c8aad568bf |
0 |
0 |
WebDav Put Request |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
52301a573727517b97c3069178ccee0ad367c8581abc440bbad2eec03af8c709 |
0 |
0 |
Webshell Detection With Command Line Keywords |
Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community |
Sigma Integrated Rule Set (GitHub) |
fadc206ec1e9e99804969634aed9b633228630e0a72122317cd3e674846a8c7c |
0 |
0 |
Webshell Hacking Activity Patterns |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
090a4e0f86cd79615ec9497fe86d20f669ba462456650789957743e9f0d2b86b |
0 |
0 |
Webshell ReGeorg Detection Via Web Logs |
Cian Heasley |
Sigma Integrated Rule Set (GitHub) |
3b59889f7c01566d9506c1b2b7b8b37af0e7f21424d03390fc64c4f32e4328f6 |
0 |
0 |
Webshell Remote Command Execution |
Ilyas Ochkov, Beyu Denis, oscd.community |
Sigma Integrated Rule Set (GitHub) |
6f8b96808977daa36d34a09923e361bdd17a9353c89c25c73253f29bb35b833d |
0 |
0 |
Webshell Tool Reconnaissance Activity |
Cian Heasley, Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d9519d30d9c273a67a5b26f64e780cfeec59454accd4f3237419da2afbb82c8d |
0 |
0 |
Wget Creating Files in Tmp Directory |
Joseliyo Sanchez, @Joseliyo_Jstnk |
Sigma Integrated Rule Set (GitHub) |
3ba440a3a16379936b3dedb5560cd1507305acd4fb83278b8966c7306075d1a7 |
0 |
0 |
Win Defender Restored Quarantine File |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
40c49d33668c9f0f3cfccc3a77c3c97ddd40be6255bc5c73e68e52d69a5766a8 |
0 |
0 |
Win Susp Computer Name Containing Samtheadmin |
elhoim |
Sigma Integrated Rule Set (GitHub) |
f15178ca26b342888299489ddb508bd98df518559135f4ba262e4d4d3ced4c06 |
0 |
0 |
WinDbg/CDB LOLBIN Usage |
Beyu Denis, oscd.community, Nasreddine Bencherchali |
Sigma Integrated Rule Set (GitHub) |
93807d89530fb696ca050ed3db0953ce414b88509cf142223144b53058957b9a |
0 |
0 |
Windows Binary Executed From WSL |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
cd43ee2d94d772e665bcfa48cb7947896af901119dd066239a467331d3c819ba |
0 |
0 |
Windows Credential Editor |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
2120dcc15751868d99ce91b7721c2a27b2b8b8d542b4621a0ece4594a4cd73b2 |
0 |
0 |
Windows Credential Editor |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
efb250f52392ac4446104881ff38dafa4934fa84d2f3357065c51b4873c737fc |
0 |
0 |
Windows Defender AMSI Trigger Detected |
Bhabesh Raj |
Sigma Integrated Rule Set (GitHub) |
9944cda138f9f219e918f109ce968902b602a32f60c6ed006bb112b15ba2dede |
0 |
0 |
Windows Defender Configuration Changes |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d9f0bb23c43de6f9d9053f483a0c1f6130434af54ae4dd0d50ccdbaa3bb1a070 |
0 |
0 |
Windows Defender Exclusion Deleted |
@BarryShooshooga |
Sigma Integrated Rule Set (GitHub) |
9f8f2e538f8940225963535efe13195a21ff11fbd854ae4a4839213643b7c973 |
0 |
0 |
Windows Defender Exclusion List Modified |
@BarryShooshooga |
Sigma Integrated Rule Set (GitHub) |
73152f171f55d7f7043c1736f071e1ac55ec0708b0d000c9a777765f048ebfd4 |
0 |
0 |
Windows Defender Exclusion Reigstry Key - Write Access Requested |
@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
29051fc71a16779223e0e3bf42ba8b7a5e0b066a0b0cf3a34684da1337ca0f4b |
0 |
0 |
Windows Defender Exclusions Added |
Christian Burkard |
Sigma Integrated Rule Set (GitHub) |
20ee93291281ad45d4704a39eb182e955d4353c917a1872e15423a2ebfef6378 |
0 |
0 |
Windows Defender Exclusions Added |
Christian Burkard |
Sigma Integrated Rule Set (GitHub) |
2231f93169c7efed228559b8ba20664ec6cf05f5a2df8494b89151752237fb8c |
0 |
0 |
Windows Defender Exclusions Added |
Christian Burkard (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
52d226d49903df8a4f8ad9d9c7932a887e76679a19f5dc4a55db4471cb55b454 |
0 |
0 |
Windows Defender Exclusions Added |
Christian Burkard |
Sigma Integrated Rule Set (GitHub) |
aa5b43fba93f194b9cb53e9215833465cb9fbfb8f9787ee9ac6ec99db12d40b7 |
0 |
0 |
Windows Defender Exploit Guard Tamper |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
5b67a2f8e02b15ee631c054972ba527505c95ee81616bd7f19a214632f855a2a |
0 |
0 |
Windows Defender Grace Period Expired |
Ján Trenčanský, frack113 |
Sigma Integrated Rule Set (GitHub) |
1bdcc2dc845603bf60227227d1cd0c2902ed43f2c73a43c193f83cf7624a50d5 |
0 |
0 |
Windows Defender Malware And PUA Scanning Disabled |
Ján Trenčanský, frack113 |
Sigma Integrated Rule Set (GitHub) |
792bdcc04027f8aa778f6f4ee57197ca5cccfd042175e97de0f4786571d9c163 |
0 |
0 |
Windows Defender Malware Detection History Deletion |
Cian Heasley |
Sigma Integrated Rule Set (GitHub) |
a69f67541c11d90298cb228bee82651387015e4cd30917b3511fde5c028f1eb0 |
0 |
0 |
Windows Defender Submit Sample Feature Disabled |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
17c80ba51043879dda142abd54f791583a8411715348463957a3f0ac5c98d6e9 |
0 |
0 |
Windows Defender Threat Detection Disabled |
Ján Trenčanský, frack113 |
Sigma Integrated Rule Set (GitHub) |
a6317aefcc7e070bf2d65b66a15af84858276fd8c4350ccb4cc0bc93261757ea |
0 |
0 |
Windows Defender Threat Detection Disabled |
Ján Trenčanský, frack113 |
Sigma Integrated Rule Set (GitHub) |
ed87c230c6d4207b37197d5b9085406475eec57fdb0315aa3f474a07c39806f6 |
0 |
0 |
Windows Defender Threat Detection Disabled |
Ján Trenčanský, frack113 |
Sigma Integrated Rule Set (GitHub) |
f2d1be0ba54a53b3a9599c9697ecd28df209373ff460d809e0da374627734853 |
0 |
0 |
Windows Defender Threat Detection Disabled |
Ján Trenčanský, frack113 |
Sigma Integrated Rule Set (GitHub) |
f41376cbd0bf111c80a06c14f23ee727ec0a64de4ab379cc3853b54b5d945035 |
0 |
0 |
Windows Defender Threat Detection Disabled - Service |
Ján Trenčanský, frack113 |
Sigma Integrated Rule Set (GitHub) |
7998082d3f734247061e2d59f83e2a3a523414bed9e74c2adb7bcb0404abce97 |
0 |
0 |
Windows Defender Virus Scanning Feature Disabled |
Ján Trenčanský, frack113 |
Sigma Integrated Rule Set (GitHub) |
d94c45e686425cd40427c11b8330754e07bc58272b1cb384c1f60555432ffc74 |
0 |
0 |
Windows Event Auditing Disabled |
@neu5ron, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d73609956e7379a0917a1fd771e4351b523579011a752df34e3ed749bf878180 |
0 |
0 |
Windows Filtering Platform Blocked Connection From EDR Agent Binary |
@gott_cyber |
Sigma Integrated Rule Set (GitHub) |
bfa1eb477b52d7559d5959d24a69f63c570cec4b16f131e2a1a57dd875956a89 |
0 |
0 |
Windows Kernel and 3rd-Party Drivers Exploits Token Stealing |
Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule) |
Sigma Integrated Rule Set (GitHub) |
25ad3dcfbd1578bd1784acb166bf4273467664ef291ec4722fa1e4361346b135 |
0 |
0 |
Windows Management Instrumentation DLL Loaded Via Microsoft Word |
Michael R. (@nahamike01) |
Sigma Integrated Rule Set (GitHub) |
3e47f5ae1f3a80668c79b22bb11fbfefb4a1a9c5078948a80bb884fa77e652e4 |
0 |
0 |
Windows Network Access Suspicious desktop.ini Action |
Tim Shelton (HAWK.IO) |
Sigma Integrated Rule Set (GitHub) |
36c3fd2415b8f3380675ca1f08c111880d08658ed378668a4f954f239d1190dd |
0 |
0 |
Windows Pcap Drivers |
Cian Heasley |
Sigma Integrated Rule Set (GitHub) |
c93c0cd47a9a01f1270c2cc43da3d19744639e155de50e64311df30ce6763d16 |
0 |
0 |
Windows PowerShell User Agent |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
107a4de06e843fc296a19ef4626692a39338e909a237bf8636b24aef02e6dbba |
0 |
0 |
Windows PowerShell Web Request |
James Pemberton / @4A616D6573 |
Sigma Integrated Rule Set (GitHub) |
8f476a2016a135fab13276812845b457aa420dac974d15d909682f6d25fefbec |
0 |
0 |
Windows Service Terminated With Error |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
4ec2907dc85eb9f20f75afd858b2070cf4f603843ab2872b1a86a93eb926ff34 |
0 |
0 |
Windows Spooler Service Suspicious Binary Load |
FPT.EagleEye, Thomas Patzke (improvements) |
Sigma Integrated Rule Set (GitHub) |
36004bbb9055623fa5dd3851566dfcd02d35df3bb87caf7ba2e7e876268fb66d |
0 |
0 |
Windows Sysvol File Modification |
SOC Prime Team |
SOC Prime Threat Detection Marketplace |
3d8c9cb6ebe5a3e7f4ebd1898e2d1b488d7b3118afdd8cf4e5a3e5bfd012a7ba |
0 |
0 |
Windows Terminal Profile Settings Modification By Uncommon Process |
frack113, Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
7ff9766480f16e8627c4519516666fefae3297969286368599159595c930fb3a |
0 |
0 |
Windows Update Client LOLBIN |
FPT.EagleEye Team |
Sigma Integrated Rule Set (GitHub) |
dab442a95ac4a7904c20db69e9f390b99d4b5268e3afd391c43a1c522ad4b3f7 |
0 |
0 |
Windows Update Error |
frack113 |
Sigma Integrated Rule Set (GitHub) |
879bef301d05e0c53bf1deb87f0ccdd7cba387cea145b72e6110cabcc2a30343 |
0 |
0 |
Windows WebDAV User Agent |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
917187eb4a5bcdd061118cd2392a86d4b4a05e138f59f268c5906f5df879ff88 |
0 |
0 |
Windows Webshell Strings |
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
82f06847ea3a21b3565bc4d6d23aa0872cca19e1c69046bfffc795ba9dc7f76e |
0 |
0 |
Winget Admin Settings Modification |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
e4f60c805b5ead941d59ceca590f11d05d926a9416b95c64b50c55febc7e1a49 |
0 |
0 |
Winlogon Notify Key Logon Persistence |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4edd1b8a91c2781bd88eb5be92c3ab1e0f5498018cb1efb7d6fe4df7f2be05c3 |
0 |
0 |
Winnti Malware HK University Campaign |
Florian Roth (Nextron Systems), Markus Neis |
Sigma Integrated Rule Set (GitHub) |
fa921a7a680703d8b1c263a0eba9bec48b3361492b6ea0424931dba980c317fd |
0 |
0 |
Winnti Pipemon Characteristics |
Florian Roth (Nextron Systems), oscd.community |
Sigma Integrated Rule Set (GitHub) |
c1e10ac2693c07c301e475b876c1c19fee91b87063b8908441ea3c5279ae0f65 |
0 |
0 |
Winrar Compressing Dump Files |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
751aa9f10bb034af3fd96ddfd10baf6ff799f92e0d2802249e1d957644c16591 |
0 |
0 |
Winword.exe Loads Suspicious DLL |
Victor Sergeev, oscd.community |
Sigma Integrated Rule Set (GitHub) |
1441bc53b94995e7a28e23c96d5c3742700e48b1cb9d1954b559f58eba877e94 |
0 |
0 |
Wmic Launch Msiexec |
Joe Security |
Joe Security Rule Set (GitHub) |
db017371e0e4d727e167ff37855a4a5e1c6a2341edbbe11beb3b97caecdcca09 |
0 |
0 |
Wmic download via msiexec |
Joe Security |
Joe Security Rule Set (GitHub) |
0104f72cd9f54a0c07ad11f45d22d923453e62473b89d3af0a474a3bc1dceae7 |
0 |
0 |
Wmiexec Default Output File |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
78a8ea43129a43ee0f26eb58acbc09d97a0df4c44bdc1a4e067135941cf9699b |
0 |
0 |
Wmiprvse Wbemcomn DLL Hijack |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
15aaaaea2f031734f9cdf2b6b2daccee96287228d9b63de3ef8ae60bb64c31d5 |
0 |
0 |
Wmiprvse Wbemcomn DLL Hijack |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
62987a80e784c70fc4631c63515a0e98b3c705e1d044ad445298bdbe93ef6002 |
0 |
0 |
Wmiprvse Wbemcomn DLL Hijack |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
b20f50174b7445b6c6fde810dcacb4c33c3a76f0102c37667f15cf44550c8ea8 |
0 |
0 |
Wmiprvse Wbemcomn DLL Hijack - File |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
Sigma Integrated Rule Set (GitHub) |
b2fa9548d438421a3ea1321b77228fbd3bd81a77dc8dc2f6b7c5ca51b335f139 |
0 |
0 |
Wow6432Node Classes Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) |
Sigma Integrated Rule Set (GitHub) |
b8e0eed90b7762f65047e747e751f1b66397e091c997b89270e3f30cef044193 |
0 |
0 |
Write Protect For Storage Disabled |
Sreeman |
Sigma Integrated Rule Set (GitHub) |
909789172b6e132b51b9baf5ca447732e8d01ea892f0b2af3d78463800617785 |
0 |
0 |
Wscript download file into temp location from wordpress site |
Joe Security |
Joe Security Rule Set (GitHub) |
e4fa44290012b08a6024fd7259647320ed7bcccd8f789391420ae07ec797c56c |
0 |
0 |
Wsreset UAC Bypass |
Florian Roth |
Sigma Integrated Rule Set (GitHub) |
96334f64d755424fcec72b4881263e66f022d62103fd2ada696b2264912d1cf5 |
0 |
0 |
XBAP Execution From Uncommon Locations Via PresentationHost.EXE |
Nasreddine Bencherchali (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
a92f0f2a0c39160d3e7f5d285e22beedb4e44ac9471c4675711203fabcbde79f |
0 |
0 |
ZOHO Dctask64 Process Injection |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
d0e9ddaa18a4b91ef3ab1e800b63bf10c6cc73617c12d346033dea7e84c6e584 |
0 |
0 |
Zeppelin Ransomware detection |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
1dd1813f8e36c59d89368c568c00d0b7df113cf1294162c9aa9daa50f72759d0 |
0 |
0 |
Zerologon Exploitation Using Well-known Tools |
Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community |
Sigma Integrated Rule Set (GitHub) |
b78e7cfa9a545243900dd20e214093ca8ccdfb84c4e2701d711df94c2325ad45 |
0 |
0 |
Zeropadypt Ransomware |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
2903b1fee135b2ab2e99ea7d454b87f0387bb5adbf0a87b8a952cdf559cc0fc0 |
0 |
0 |
Zimbra Collaboration Suite Email Server Unauthenticated RCE |
@gott_cyber |
Sigma Integrated Rule Set (GitHub) |
fe30819d686fee877ca45810467da758e2b1fcd3b7ec78a5b418774b1046a8cf |
0 |
0 |
Zip A Folder With PowerShell For Staging In Temp |
frack113 |
Sigma Integrated Rule Set (GitHub) |
14067c72922c986650e783f9228ddb9fe698c382df3698e163c4f670cf050465 |
0 |
0 |
Zip A Folder With PowerShell For Staging In Temp |
frack113 |
Sigma Integrated Rule Set (GitHub) |
4d383989e445c74fd8a77bd2cf57f7a1ffccaa221d9d197cc2167b4023e34425 |
0 |
0 |
Zip A Folder With PowerShell For Staging In Temp |
frack113 |
Sigma Integrated Rule Set (GitHub) |
c85d82a8951189fc9e17094e9738f8f03ee60e483cb4725d6062de14e1663ff1 |
0 |
0 |
Zip A Folder With PowerShell For Staging In Temp - PowerShell Module |
Nasreddine Bencherchali (Nextron Systems), frack113 |
Sigma Integrated Rule Set (GitHub) |
deeb1a213004e4f328c59f035fe5bdbfe766ac3d8a0ea7f9a916c12bc145491f |
0 |
0 |
ZxShell Malware |
Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro |
Sigma Integrated Rule Set (GitHub) |
9f3c5ba78b1be158567ab3b450ff989c464b256ea5a1f60dbf4fdf93d57d249d |
0 |
0 |
iOS Implant URL Pattern |
Florian Roth (Nextron Systems) |
Sigma Integrated Rule Set (GitHub) |
c902b9b5f87c7faea1b8d842747d3620db497a294d8484a4d4f30d8efb95f770 |
0 |
0 |
ixware Stealer |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
8b103e0e94ed879b2e6703457646fa5fdedf95419931f137df2e5938b4c484be |
0 |
0 |
ixware Stealer |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
a2a24aed37f8a38265874ac807cc47897929c4c717e16c01e3757dce513e1b8f |
0 |
0 |
ixware Stealer |
Ariel Millahuel |
SOC Prime Threat Detection Marketplace |
c1badf4bce1bace265e5cf652abbe2eb12efdb34e62690f367fcb35a7dfa2c64 |
0 |
0 |
njRat payload |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
3199f91af1499ae38d1caaccdebf0b49c00acab265a73ae5522d9c9bb2d4178b |
0 |
0 |
notepad++.exe DLL search order hijacking(Sysmon) |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
088db9822e808265d50798b894fa0f13dc765ec299836dddc752dfe4b8829071 |
0 |
0 |
powershell registry execution via wmic |
Joe Security |
Joe Security Rule Set (GitHub) |
f33d9692bdb337bf2369df43be996b214f4819827e400c798075464804b0c4e2 |
0 |
0 |
smbexec.py Service Installation |
Omer Faruk Celik |
Sigma Integrated Rule Set (GitHub) |
5a4bf43081cef897622ab39eb1011671616e9b2dd0dbea9e10669d85790dcd9c |
0 |
0 |
tencentsoso.exe DLL search order hijacking(Sysmon) |
Den Iuzvyk |
SOC Prime Threat Detection Marketplace |
e11fbf7c8ec3e7d6d9b7b81e6199ac7b3c7ff5da85494aa9578263862a0bc54a |
0 |
0 |